diff --git a/tcpip.cc b/tcpip.cc
index 2658a8235..2c7715ef2 100644
--- a/tcpip.cc
+++ b/tcpip.cc
@@ -1371,7 +1371,7 @@ static bool validateTCPhdr(const u8 *tcpc, unsigned len) {
   tcpc += (expected); \
 } while(0);
 
-  while (optlen > 0) {
+  while (optlen > 1) {
     hdrlen = *(tcpc + 1);
     switch (*tcpc) {
     case 0: // EOL
@@ -1411,6 +1411,15 @@ static bool validateTCPhdr(const u8 *tcpc, unsigned len) {
     }
   }
 
+  if (optlen == 1) {
+    // Only 1 byte left in options, this has to be NOP or EOL
+    return (*tcpc == 0 || *tcpc == 1);
+  }
+  else if (optlen < 0) {
+    // Last option claimed to be longer than options list
+    return false;
+  }
+
   return true;
 }