With that patch, you support vulnerable versions of polarssl. Upstream developers should never rely on distributors to fix this. The code should not compile with any known vulnerable version.