This defect exists in some initial code developed to handle IPv4 Internet Protocol Options.
The current net_builtin.c code assumes that there are no IPv4 Internet Protocol Options, and that the header is a fixed 20 bytes.
This is not a replay.
In computing the new IP payload offset when there are Internet Protocol Options present, the current packet size range check is no longer a valid test. Therefore, it can lead to a read buffer overflow on the packet data.