Index: sys/kern/uipc_mbuf.c
===================================================================
--- sys/kern/uipc_mbuf.c
+++ sys/kern/uipc_mbuf.c
@@ -420,6 +420,17 @@
 	n->m_flags |= m->m_flags & M_RDONLY;
 }
 
+void
+m_demote_pkthdr(struct mbuf *m)
+{
+
+	M_ASSERTPKTHR(m);
+
+	m_tag_delete_chain(m, NULL);
+	m->m_flags &= ~M_PKTHDR;
+	bzero(&m->m_pkthdr, sizeof(struct pkthdr));
+}
+
 /*
  * Clean up mbuf (chain) from any tags and packet headers.
  * If "all" is set then the first mbuf in the chain will be
@@ -433,11 +444,8 @@
 	for (m = all ? m0 : m0->m_next; m != NULL; m = m->m_next) {
 		KASSERT(m->m_nextpkt == NULL, ("%s: m_nextpkt in m %p, m0 %p",
 		    __func__, m, m0));
-		if (m->m_flags & M_PKTHDR) {
-			m_tag_delete_chain(m, NULL);
-			m->m_flags &= ~M_PKTHDR;
-			bzero(&m->m_pkthdr, sizeof(struct pkthdr));
-		}
+		if (m->m_flags & M_PKTHDR)
+			m_demote_pkthdr(m);
 		m->m_flags = m->m_flags & (M_EXT | M_RDONLY | M_NOFREE | flags);
 	}
 }
Index: sys/netinet/tcp_lro.c
===================================================================
--- sys/netinet/tcp_lro.c
+++ sys/netinet/tcp_lro.c
@@ -383,7 +383,7 @@
 	int error, ip_len, l;
 	uint16_t eh_type, tcp_data_len;
 
-	/* We expect a contiguous header [eh, ip, tcp]. */
+	M_ASSERTPKTHDR(m);
 
 	eh = mtod(m, struct ether_header *);
 	eh_type = ntohs(eh->ether_type);
@@ -391,6 +391,8 @@
 #ifdef INET6
 	case ETHERTYPE_IPV6:
 	{
+		/* We expect a contiguous header [eh, ip6, tcp]. */
+		MPASS(m->m_len >= sizeof(*eh) + sizeof(*ip6) + sizeof(*th));
 		CURVNET_SET(lc->ifp->if_vnet);
 		if (V_ip6_forwarding != 0) {
 			/* XXX-BZ stats but changing lro_ctrl is a problem. */
@@ -410,6 +412,8 @@
 #ifdef INET
 	case ETHERTYPE_IP:
 	{
+		/* We expect a contiguous header [eh, ip, tcp]. */
+		MPASS(m->m_len >= sizeof(*eh) + sizeof(*ip) + sizeof(*th));
 		CURVNET_SET(lc->ifp->if_vnet);
 		if (V_ipforwarding != 0) {
 			/* XXX-BZ stats but changing lro_ctrl is a problem. */
@@ -550,7 +554,7 @@
 		 * append new segment to existing mbuf chain.
 		 */
 		m_adj(m, m->m_pkthdr.len - tcp_data_len);
-		m->m_flags &= ~M_PKTHDR;
+		m_demote_pkthdr(m);
 
 		le->m_tail->m_next = m;
 		le->m_tail = m_last(m);
Index: sys/sys/mbuf.h
===================================================================
--- sys/sys/mbuf.h
+++ sys/sys/mbuf.h
@@ -959,6 +959,7 @@
 void		 m_copy_pkthdr(struct mbuf *, struct mbuf *);
 struct mbuf	*m_copyup(struct mbuf *, int, int);
 struct mbuf	*m_defrag(struct mbuf *, int);
+void		 m_demote_pkthdr(struct mbuf *);
 void		 m_demote(struct mbuf *, int, int);
 struct mbuf	*m_devget(char *, int, int, struct ifnet *,
 		    void (*)(char *, caddr_t, u_int));