From 37aefa2ad1eaf8e6de091e822f599d09c6956e34 Mon Sep 17 00:00:00 2001
From: "Alexander V. Chernikov" <melifaro@FreeBSD.org>
Date: Sun, 5 Jun 2016 10:33:53 +0000
Subject: [PATCH] Fix 4-byte overflow in ipv6_writemask.

This bug could cause some IPv6 table prefix delete requests to fail.

Obtained from:	Yandex LLC
---
 sys/netpfil/ipfw/ip_fw_table_algo.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/netpfil/ipfw/ip_fw_table_algo.c b/sys/netpfil/ipfw/ip_fw_table_algo.c
index bd6a54d5b97a..97bc8794d737 100644
--- a/sys/netpfil/ipfw/ip_fw_table_algo.c
+++ b/sys/netpfil/ipfw/ip_fw_table_algo.c
@@ -590,7 +590,8 @@ ipv6_writemask(struct in6_addr *addr6, uint8_t mask)
 
 	for (cp = (uint32_t *)addr6; mask >= 32; mask -= 32)
 		*cp++ = 0xFFFFFFFF;
-	*cp = htonl(mask ? ~((1 << (32 - mask)) - 1) : 0);
+	if (mask > 0)
+		*cp = htonl(mask ? ~((1 << (32 - mask)) - 1) : 0);
 }
 #endif