diff --git a/doc/changelog.txt b/doc/changelog.txt
index 3557175..81fcbdc 100644
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -5,6 +5,7 @@ Fixes:
 - build: the code actually requires at least iptables 1.4.5 (would yield a
   compile error otherwise), make sure configure checks for it; update INSTALL
 - xt_ECHO: fix kernel warning about RTAX_HOPLIMIT being used
+- xt_ipv4options: fix an infinite loop
 Changes:
 - xt_ECHO: now calculates UDP checksum
 Enhancements:
diff --git a/extensions/xt_ipv4options.c b/extensions/xt_ipv4options.c
index 42481f7..5e9d34c 100644
--- a/extensions/xt_ipv4options.c
+++ b/extensions/xt_ipv4options.c
@@ -20,6 +20,17 @@ static uint32_t ipv4options_rd(const uint8_t *data, int len)
 	uint32_t opts = 0;
 
 	while (len >= 2) {
+		switch (data[0]) {
+		case IPOPT_END:
+			return opts;
+		case IPOPT_NOOP:
+			--len;
+			++data;
+			continue;
+		}
+
+		if (data[1] < 2 || data[1] > len)
+			return opts;
 		opts |= 1 << (data[0] & 0x1F);
 		len  -= data[1];
 		data += data[1];