From 14135e2cfed3d1f4ca7204f2ceee017678b4be31 Mon Sep 17 00:00:00 2001
From: Colin Percival <cperciva@FreeBSD.org>
Date: Tue, 24 Feb 2004 01:20:51 +0000
Subject: [PATCH] Fix array overflow: If len=128, don't access [16] of a
 16-byte IPv6 address, even if we subsequently ignore its value by applying a
 >>8 to it.

Reported by:	"Ted Unangst" <tedu@coverity.com>
Approved by:	rwatson (mentor), {ume, suz} (KAME)
---
 sys/netinet6/in6.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c
index d5bd36c8be6..801472a9d0b 100644
--- a/sys/netinet6/in6.c
+++ b/sys/netinet6/in6.c
@@ -1830,7 +1830,8 @@ in6_are_prefix_equal(p1, p2, len)
 
 	if (bcmp(&p1->s6_addr, &p2->s6_addr, bytelen))
 		return (0);
-	if (p1->s6_addr[bytelen] >> (8 - bitlen) !=
+	if (bitlen != 0 &&
+	    p1->s6_addr[bytelen] >> (8 - bitlen) !=
 	    p2->s6_addr[bytelen] >> (8 - bitlen))
 		return (0);