diff --git a/CHANGES b/CHANGES
index 95452076f8..ba417482a1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+3.3.0-dev.463 | 2020-10-19 18:57:00 -0700
+
+  * Add length checks for IP header values before parsing TCP/UDP (Tim Wojtulewicz, Corelight)
+
 3.3.0-dev.461 | 2020-10-19 11:54:23 -0700
 
   * Fix deprecation warning in POP3 fuzzer (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index 3692fde9a3..e97206409f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.3.0-dev.461
+3.3.0-dev.463
diff --git a/src/Sessions.cc b/src/Sessions.cc
index 5a7ad25b2e..0e9393e4dc 100644
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@@ -89,6 +89,18 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt)
 	uint32_t len = ip_hdr->TotalLen();
 	uint16_t ip_hdr_len = ip_hdr->HdrLen();
 
+	if ( len < ip_hdr_len )
+		{
+		sessions->Weird("bogus_IP_header_lengths", pkt);
+		return;
+		}
+
+	if ( caplen < ip_hdr_len )
+		{
+		sessions->Weird("truncated_IP", pkt);
+		return;
+		}
+
 	len -= ip_hdr_len;	// remove IP header
 	caplen -= ip_hdr_len;	// remove IP header