diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 7ef8ac30fcbcdeb5594ac94f08940c9f1babd4ee..d7e16930c7f4454603ea5cda2f5ebf38bc911ac1 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1755,6 +1755,9 @@ static skb_frag_t *skb_advance_to_frag(struct sk_buff *skb, u32 offset_skb,
 {
 	skb_frag_t *frag;
 
+	if (unlikely(offset_skb >= skb->len))
+		return NULL;
+
 	offset_skb -= skb_headlen(skb);
 	if ((int)offset_skb < 0 || skb_has_frag_list(skb))
 		return NULL;