--- x/net/core/flow_dissector.c
+++ y/net/core/flow_dissector.c
@@ -1165,9 +1165,13 @@ proto_again:
 	case htons(ETH_P_IP): {
 		const struct iphdr *iph;
 		struct iphdr _iph;
+		const unsigned char *buf = data;
+
+		if (2 != buf[0])
+			_iph.ihl = 1;
 
 		iph = __skb_header_pointer(skb, nhoff, sizeof(_iph), data, hlen, &_iph);
-		if (!iph || iph->ihl < 5) {
+		if (nhoff < 0 || !iph || iph->ihl < 5) {
 			fdret = FLOW_DISSECT_RET_OUT_BAD;
 			break;
 		}