Index: sys/netinet/ip_output.c
===================================================================
--- sys/netinet/ip_output.c
+++ sys/netinet/ip_output.c
@@ -956,6 +956,7 @@
 ip_ctloutput(struct socket *so, struct sockopt *sopt)
 {
 	struct	inpcb *inp = sotoinpcb(so);
+	struct	mbuf *options;
 	int	error, optval;
 #ifdef	RSS
 	uint32_t rss_bucket;
@@ -1242,12 +1243,18 @@
 		switch (sopt->sopt_name) {
 		case IP_OPTIONS:
 		case IP_RETOPTS:
-			if (inp->inp_options)
+			if (inp->inp_options) {
+				unsigned long len = ulmin(inp->inp_options->m_len, sopt->sopt_valsize);
+				options = malloc(len, M_TEMP, M_WAITOK);
+				INP_RLOCK(inp);
+				bcopy(inp->inp_options, options, len);
+				INP_RUNLOCK(inp);
 				error = sooptcopyout(sopt,
-						     mtod(inp->inp_options,
+						     mtod(options,
 							  char *),
-						     inp->inp_options->m_len);
-			else
+						     len);
+				free(options, M_TEMP);
+			} else
 				sopt->sopt_valsize = 0;
 			break;