diff --git a/CHANGELOG b/CHANGELOG
index 695442bf8..e06a1cb31 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o Fixed several issues reported by Himanshu Anand: infinite loop in TCP options
+  parsing and out-of-bounds memory read in IPv4 OS detection; integer underflow
+  in IPv6 extension header processing; and undefined behavior in DNS label parsing.
+
 o [NSE][GH#3368] Fixed an out-of-memory issue in packet.lua when parsing a
   zero-length TCP header option. [Maxim Suhanov]
 
diff --git a/osscan2.cc b/osscan2.cc
index 6ec4559d6..c4eed462a 100644
--- a/osscan2.cc
+++ b/osscan2.cc
@@ -2922,7 +2922,10 @@ bool HostOsScan::processTUdpResp(HostOsScanStats *hss, const struct ip *ip, cons
 
   const u8 *ip2pkt = icmppkt + 8;
   memcpy(&ip2, ip2pkt, sizeof(ip2));
-  const u8 *udppkt = ip2pkt + 4 * ip2.ip_hl;
+  unsigned int ip2hlen = 4 * ip2.ip_hl;
+  if (icmplen < 8 + ip2hlen + sizeof(udp))
+    return false;
+  const u8 *udppkt = ip2pkt + ip2hlen;
   memcpy(&udp, udppkt, sizeof(udp));
 
   /* The ports should match. */