diff --git a/[refs] b/[refs]
index 1d280d54e377..6719cce9f8bd 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: c4363d6acd8d2ec9156f6469c742351e5d122489
+refs/heads/master: 70c2efa5a32a7d38e66224844032160317fa7887
diff --git a/trunk/net/sched/act_nat.c b/trunk/net/sched/act_nat.c
index 570949417f38..724553e8ed7b 100644
--- a/trunk/net/sched/act_nat.c
+++ b/trunk/net/sched/act_nat.c
@@ -205,7 +205,7 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a,
 	{
 		struct icmphdr *icmph;
 
-		if (!pskb_may_pull(skb, ihl + sizeof(*icmph) + sizeof(*iph)))
+		if (!pskb_may_pull(skb, ihl + sizeof(*icmph)))
 			goto drop;
 
 		icmph = (void *)(skb_network_header(skb) + ihl);
@@ -215,6 +215,9 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a,
 		    (icmph->type != ICMP_PARAMETERPROB))
 			break;
 
+		if (!pskb_may_pull(skb, ihl + sizeof(*icmph) + sizeof(*iph)))
+			goto drop;
+
 		iph = (void *)(icmph + 1);
 		if (egress)
 			addr = iph->daddr;