diff -urpN linux-source-2.6.18.orig/net/dccp/feat.c linux-source-2.6.18/net/dccp/feat.c
--- linux-source-2.6.18.orig/net/dccp/feat.c	2006-09-19 21:42:06.000000000 -0600
+++ linux-source-2.6.18/net/dccp/feat.c	2008-06-05 19:57:08.000000000 -0600
@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisoc
 
 	dccp_pr_debug("feat change type=%d feat=%d\n", type, feature);
 
+	if (len > 3) {
+		if (net_ratelimit())
+			printk("%s: invalid length %d\n", __func__, len);
+		return -EINVAL;
+	}
 	/* XXX sanity check feat change request */
 
 	/* check if that feature is already being negotiated */