The patch is
ipfw2-rel4.patch
, and a sample rule triggering the buffer overrun is
here
.