diff --git a/CHANGELOG b/CHANGELOG
index c1b0a5f3..99608d45 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -67,6 +67,10 @@ HISTORY
 
   ++ Bug fixes:
   
+  2007-03-11 Simon Goldschmidt
+  * pbuf.c: checked in patch #5796: pbuf_alloc: len field claculation caused
+    memory corruption.
+
   2007-03-11 Simon Goldschmidt (based on patch from Dmitry Potapov)
   * api_lib.c, sockets.c, api.h, api_msg.h, sockets.h: Fixed bug #19251
     (missing `const' qualifier in socket functions), to get more compatible to
diff --git a/src/core/pbuf.c b/src/core/pbuf.c
index ad9305a6..a9930098 100644
--- a/src/core/pbuf.c
+++ b/src/core/pbuf.c
@@ -102,6 +102,8 @@ pbuf_init(void)
 
   pbuf_pool = (struct pbuf *)MEM_ALIGN(pbuf_pool_memory);
 
+  LWIP_ASSERT("pbuf_init: sizeof(struct pbuf) must be a multiple of MEM_ALIGNMENT",
+              (sizeof(struct pbuf) % MEM_ALIGNMENT) == 0);
   LWIP_ASSERT("pbuf_init: PBUF_POOL_BUFSIZE not aligned",
               (PBUF_POOL_BUFSIZE % MEM_ALIGNMENT) == 0);
 
@@ -261,7 +263,7 @@ pbuf_alloc(pbuf_layer l, u16_t length, pbuf_flag flag)
     /* the total length of the pbuf chain is the requested size */
     p->tot_len = length;
     /* set the length of the first pbuf in the chain */
-    p->len = length > PBUF_POOL_BUFSIZE - offset? PBUF_POOL_BUFSIZE - offset: length;
+    p->len = length > PBUF_POOL_BUFSIZE - MEM_ALIGN_SIZE(offset)? PBUF_POOL_BUFSIZE - MEM_ALIGN_SIZE(offset): length;
     /* set reference count (needed here in case we fail) */
     p->ref = 1;