Suricata

When the engine checks for IPv4 options, there are a couple of TODOs connected to
EOL (end of options list) that should be checked, to ensure there isn't a window for data leakage or sneaking, here. Also confirm whether it is possible to have other headers after EOL, or when EOL is required but not present?
(from the code):

/** \todo What if padding is non-zero (possible covert channel or data leakage)? */
/** \todo Spec seems to indicate EOL required if there is padding */