diff --git a/overlay/tio/tio_gso_linux.go b/overlay/tio/tio_gso_linux.go
index 0df8d0fd..95de8075 100644
--- a/overlay/tio/tio_gso_linux.go
+++ b/overlay/tio/tio_gso_linux.go
@@ -80,7 +80,7 @@ func newOffload(fd int, shutdownFd int) (*Offload, error) {
 		fd:         fd,
 		shutdownFd: shutdownFd,
 		closed:     atomic.Bool{},
-		readBuf:    make([]byte, tunReadBufSize),
+		readBuf:    make([]byte, virtioNetHdrLen+tunReadBufSize),
 		readPoll: [2]unix.PollFd{
 			{Fd: int32(fd), Events: unix.POLLIN},
 			{Fd: int32(shutdownFd), Events: unix.POLLIN},
diff --git a/overlay/tio/tun_linux_offload.go b/overlay/tio/tun_linux_offload.go
index 0b953a3e..f2cdab12 100644
--- a/overlay/tio/tun_linux_offload.go
+++ b/overlay/tio/tun_linux_offload.go
@@ -56,6 +56,9 @@ func checkVirtioValid(pkt []byte, hdr VirtioNetHdr) error {
 	if hdr.Flags&unix.VIRTIO_NET_HDR_F_RSC_INFO != 0 {
 		return fmt.Errorf("virtio RSC_INFO flag not supported on TUN reads")
 	}
+	if len(pkt) < ipv4HeaderMinLen {
+		return fmt.Errorf("packet too short")
+	}
 	ipVersion := pkt[0] >> 4
 	switch hdr.GSOType {
 	case unix.VIRTIO_NET_HDR_GSO_TCPV4: