vulnerabilities in this code chunk

[erk_3 () hotmail com]

Heylo,
I am trying to find all the vuln's in this code chunk, and the only thing I can come up with is a null pointer 
dereference.  Assume data and data_len are user controlled.
Null pointer happens when passing in a negative number.  I was looking hard at the memset functions but I couldn't come 
up with anything.  
Anyone else see anything here?
Thanks!

char *copy_data(char *data, unsigned int data_len)

{ 
unsigned int header_size = 8;
char *buf;
if (!(buf = malloc(data_len + header_size))) 
{
return NULL; 
}
memcpy(buf, "HEADER: ", 8);
memcpy(buf + 8, data, data_len);
return buf;
}