diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index b7796b4cf0a099e9f14b28e50cb07367021a7cbf..bbb3d39c69afc2d5a42c6ace8d473657861da61f 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1758,6 +1758,9 @@ static skb_frag_t *skb_advance_to_frag(struct sk_buff *skb, u32 offset_skb,
 {
 	skb_frag_t *frag;
 
+	if (unlikely(offset_skb >= skb->len))
+		return NULL;
+
 	offset_skb -= skb_headlen(skb);
 	if ((int)offset_skb < 0 || skb_has_frag_list(skb))
 		return NULL;