diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index fa64b1b8a..f607cd7f2 100755
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -618,6 +618,9 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
 	if ((priv->csum_type == NFT_PAYLOAD_CSUM_INET || priv->csum_flags) &&
 	    (priv->base != NFT_PAYLOAD_TRANSPORT_HEADER ||
 	     skb->ip_summed != CHECKSUM_PARTIAL)) {
+		if (offset + priv->len > skb->len)
+			goto err;
+
 		fsum = skb_checksum(skb, offset, priv->len, 0);
 		tsum = csum_partial(src, priv->len, 0);