I found this problem while porting a security patch to my uboot. I've created a PoC exploit which can hang uboot during ping command (even with commit b85d130ea0cac152c21ec38ac9417b31d41b5552). In my case changing:

if (ip->ip_len < IP_MIN_FRAG_DATAGRAM_SIZE)

to:

if (ntohs(ip->ip_len) < IP_MIN_FRAG_DATAGRAM_SIZE)

solved the problem. But now I can see it's a bigger issue.

Tomorrow I will check these patches with my exploit.