diff --git a/CHANGES b/CHANGES
index ba49347cec..f00f2d5783 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,22 @@
+5.1.0-dev.511 | 2022-09-19 12:41:31 -0700
+
+  * Add better length check to BuildOptionsVal() (Tim Wojtulewicz, Corelight)
+
+  * smb: Unify transaction_data_to_val() usage (Arne Welzel, Corelight)
+
+    the data/string handling in smb1-com-transaction.pcac was improved
+    with c75519ca8869448efc488598090f96d63352312f, re-use the added
+    functionality also for smb1-com-transaction-secondary.pac to avoid
+    buffer overflows.
+
+  * Add some additional checks for caplen in ICMP analyzer (Tim Wojtulewicz, Corelight)
+
+  * irc: Check parts.size() before removing the nick (Arne Welzel, Corelight)
+
+    ...also, don't remove the nick twice.
+
+  * Check IP payload length before casting to transport structure (Tim Wojtulewicz, Corelight)
+
 5.1.0-dev.506 | 2022-09-15 11:11:57 -0400
 
   * Use NextStream instead of ForwardStream in fuzzers (Tim Wojtulewicz, Corelight)
diff --git a/VERSION b/VERSION
index f7ff2a7f8b..a90ec39475 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-5.1.0-dev.506
+5.1.0-dev.511
diff --git a/src/IP.cc b/src/IP.cc
index f1e97847c3..c85cdc1e96 100644
--- a/src/IP.cc
+++ b/src/IP.cc
@@ -20,7 +20,7 @@ static VectorValPtr BuildOptionsVal(const u_char* data, int len)
 	{
 	auto vv = make_intrusive<VectorVal>(id::find_type<VectorType>("ip6_options"));
 
-	while ( len > 0 )
+	while ( static_cast<size_t>(len) >= sizeof(struct ip6_opt) )
 		{
 		static auto ip6_option_type = id::find_type<RecordType>("ip6_option");
 		const struct ip6_opt* opt = (const struct ip6_opt*)data;