Apply by doing
	cd /usr/src
	patch -p0 <023_ip_ah.patch
And then rebuild your kernel.

Index: sys/netinet/ip_ah.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ah.c,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -r1.45 -r1.46
--- sys/netinet/ip_ah.c	2000/11/17 04:15:42	1.45
+++ sys/netinet/ip_ah.c	2001/02/20 06:48:06	1.46
@@ -253,6 +253,17 @@
 	    /* IPv4 option processing */
 	    for (off = sizeof(struct ip); off < skip;)
 	    {
+		if (ptr[off] == IPOPT_EOL || ptr[off] == IPOPT_NOP ||
+		    off + 1 < skip)
+		    ;
+		else
+		{
+		    DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d\n", ptr[off]));
+		    ahstat.ahs_hdrops++;
+		    m_freem(m);
+		    return EINVAL;
+		}
+			   
 		switch (ptr[off])
 		{
 		    case IPOPT_EOL:
@@ -268,10 +279,10 @@
 		    case 0x86:	/* Commercial security */
 		    case 0x94:	/* Router alert */
 		    case 0x95:	/* RFC1770 */
-			/* Sanity check for zero-length options */
-			if (ptr[off + 1] == 0)
+			/* Sanity check for option length */
+			if (ptr[off + 1] < 2)
 			{
-			    DPRINTF(("ah_massage_headers(): illegal zero-length IPv4 option %d\n", ptr[off]));
+			    DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d\n", ptr[off]));
 			    ahstat.ahs_hdrops++;
 			    m_freem(m);
 			    return EINVAL;
@@ -282,6 +293,15 @@
 
 		    case IPOPT_LSRR:
 		    case IPOPT_SSRR:
+			/* Sanity check for option length */
+			if (ptr[off + 1] < 2)
+			{
+			    DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d\n", ptr[off]));
+			    ahstat.ahs_hdrops++;
+			    m_freem(m);
+			    return EINVAL;
+			}
+
 			/*
 			 * On output, if we have either of the source routing
 			 * options, we should swap the destination address of
@@ -296,10 +316,10 @@
 
 			/* Fall through */
 		    default:
-			/* Sanity check for zero-length options */
-			if (ptr[off + 1] == 0)
+			/* Sanity check for option length */
+			if (ptr[off + 1] < 2)
 			{
-			    DPRINTF(("ah_massage_headers(): illegal zero-length IPv4 option %d\n", ptr[off]));
+			    DPRINTF(("ah_massage_headers(): illegal IPv4 option length for option %d\n", ptr[off]));
 			    ahstat.ahs_hdrops++;
 			    m_freem(m);
 			    return EINVAL;