On Wed, 30 Jun 2004 15:11:25 -0400 (EDT)
James Morris [off-list ref] wrote:

FYI, I have audited options parsing code in TCP, IPv4 input and Netfilter 
for any similar problems and not found any.  Further review would be 
useful (I have not looked at the IPv6 header parsing for example).

I can't find any other cases.

This bug only came up because up the huge change Rusty and Harald did
to make these modules not access the SKB header data directly, and
instead to use local on-stack copies and skb_copy_bits().