diff --git a/dccp-handle-invalid-feature-options-length.patch b/dccp-handle-invalid-feature-options-length.patch
new file mode 100644
index 0000000..48f66a3
--- /dev/null
+++ b/dccp-handle-invalid-feature-options-length.patch
@@ -0,0 +1,35 @@
+From a294865978b701e4d0d90135672749531b9a900d Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Fri, 6 May 2011 03:27:18 +0000
+Subject: dccp: handle invalid feature options length
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit a294865978b701e4d0d90135672749531b9a900d upstream.
+
+A length of zero (after subtracting two for the type and len fields) for
+the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
+the subtraction.  The subsequent code may read past the end of the
+options value buffer when parsing.  I'm unsure of what the consequences
+of this might be, but it's probably not good.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/dccp/options.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/dccp/options.c
++++ b/net/dccp/options.c
+@@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk,
+ 		case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R:
+ 			if (pkt_type == DCCP_PKT_DATA)      /* RFC 4340, 6 */
+ 				break;
++			if (len == 0)
++				goto out_invalid_option;
+ 			rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
+ 						    *value, value + 1, len - 1);
+ 			if (rc)
diff --git a/kernel.spec b/kernel.spec
index b27be1b..105effc 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -852,6 +852,9 @@ Patch13969: scsi_dh_hp_sw-fix-deadlock-in-start_stop_endio.patch
 # fix bug in 2.6.35.13 with old windows servers
 Patch13970: cifs-add-fallback-in-is_path_accessible-for-old-servers.patch
 
+# cve-2011-1770
+Patch13980: dccp-handle-invalid-feature-options-length.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1603,6 +1606,9 @@ ApplyPatch scsi_dh_hp_sw-fix-deadlock-in-start_stop_endio.patch
 # fix bug in 2.6.35.13 with old windows servers
 ApplyPatch cifs-add-fallback-in-is_path_accessible-for-old-servers.patch
 
+# cve-2011-1770
+ApplyPatch dccp-handle-invalid-feature-options-length.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2191,6 +2197,7 @@ fi
 %changelog
 * Fri May 20 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.35.13-92
 - Add the rest of the fix for bug #704059
+- dccp: handle invalid feature options length (CVE-2011-1770)
 
 * Wed May 18 2011 Chuck Ebbert <cebbert@redhat.com>
 - Fix cifs bug in 2.6.35.13 with old Windows servers (#704125)