It is legitimate for callers of skb_header_pointer to pass a negative offset, but the resulting pointer should not go outside the valid range of data in the skb. Signed-off-by: Stephen Hemminger --- a/include/linux/skbuff.h 2010-08-01 09:23:01.635121262 -0700 +++ b/include/linux/skbuff.h 2010-08-01 09:25:27.453901530 -0700 @@ -1853,6 +1853,9 @@ static inline void *skb_header_pointer(c { int hlen = skb_headlen(skb); + if (hlen + offset < 0) + return NULL; + if (hlen - offset >= len) return skb->data + offset; -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html