diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index a6967ee897c46d1d88ccd13b6cac46fe6ddce4c2..b8170ae1461ed3706007223911851a5ebb83c94d 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -393,6 +393,9 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
 	    replay_esn->bmp_len != up->bmp_len)
 		return -EINVAL;
 
+	if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
+		return -EINVAL;
+
 	return 0;
 }