diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index a225089df5b6693a715f95ab89de71be4a400338..96c5f0edb4cf28349605524e6f020b9eda06a1f4 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -35,7 +35,9 @@ again:
 		struct iphdr _iph;
 ip:
 		iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
-		if (!iph)
+
+		/* CVE-2013-4348 issue : make sure iph->ihl is not zero ... */
+		if (!iph || iph->ihl < 5)
 			return false;
 
 		if (ip_is_fragment(iph))