diff --git a/src/SSL-binpac.cc b/src/SSL-binpac.cc
index ec1fd206f6..c44ae5fb70 100644
--- a/src/SSL-binpac.cc
+++ b/src/SSL-binpac.cc
@@ -7,6 +7,7 @@ SSL_Analyzer_binpac::SSL_Analyzer_binpac(Connection* c)
 : TCP_ApplicationAnalyzer(AnalyzerTag::SSL, c)
 	{
 	interp = new binpac::SSL::SSL_Conn(this);
+	had_gap = false;
 	}
 
 SSL_Analyzer_binpac::~SSL_Analyzer_binpac()
@@ -36,12 +37,24 @@ void SSL_Analyzer_binpac::DeliverStream(int len, const u_char* data, bool orig)
 
 	if ( TCP()->IsPartial() )
 		return;
+	if ( had_gap )
+		// XXX: If only one side had a content gap, we could still try to
+		// deliver data to the other side if the script layer can handle this.
+		return; 
 
-	interp->NewData(orig, data, data + len);
+	try
+		{
+		interp->NewData(orig, data, data + len);
+		}
+	catch ( binpac::Exception const &e )
+		{
+		ProtocolViolation(fmt("Binpac exception: %s", e.c_msg()));
+		}
 	}
 
 void SSL_Analyzer_binpac::Undelivered(int seq, int len, bool orig)
 	{
 	TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
+	had_gap = true;
 	interp->NewGap(orig, len);
 	}
diff --git a/src/SSL-binpac.h b/src/SSL-binpac.h
index 7d0c8d3939..8dab19d00c 100644
--- a/src/SSL-binpac.h
+++ b/src/SSL-binpac.h
@@ -30,6 +30,7 @@ public:
 
 protected:
 	binpac::SSL::SSL_Conn* interp;
+	bool had_gap;
 
 };