diff --git a/CHANGES b/CHANGES
index 7ede399622..60812ac1e6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2309.   [cleanup]       Fix Coverity warnings in lib/dns/acl.c and iptable.c.
+                        [RT #17455]
+
 2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
 			[RT #17495]
 
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index 4163b1561e..3833409c77 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.37 2007/12/21 06:46:47 marka Exp $ */
+/* $Id: acl.c,v 1.38 2008/01/17 08:08:08 each Exp $ */
 
 /*! \file */
 
@@ -102,7 +102,13 @@ dns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) {
 	result = dns_acl_create(mctx, 0, &acl);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	dns_iptable_addprefix(acl->iptable, NULL, 0, ISC_TF(!neg));
+
+	result = dns_iptable_addprefix(acl->iptable, NULL, 0, ISC_TF(!neg));
+	if (result != ISC_R_SUCCESS) {
+                dns_acl_detach(&acl);
+		return (result);
+        }
+
 	*target = acl;
 	return (result);
 }
diff --git a/lib/dns/iptable.c b/lib/dns/iptable.c
index 8cd6c903e8..b4cb88a5ef 100644
--- a/lib/dns/iptable.c
+++ b/lib/dns/iptable.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: iptable.c,v 1.5 2007/09/28 00:11:32 each Exp $ */
+/* $Id: iptable.c,v 1.6 2008/01/17 08:08:08 each Exp $ */
 
 #include <isc/mem.h>
 #include <isc/radix.h>
@@ -66,6 +66,7 @@ dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr,
 
 	INSIST(DNS_IPTABLE_VALID(tab));
 	INSIST(tab->radix);
+	INSIST(bitlen <= 32 || (addr->family == AF_INET6 && bitlen <= 128));
 
 	NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
 
diff --git a/lib/isc/include/isc/radix.h b/lib/isc/include/isc/radix.h
index 96668f9e30..37c7db00b1 100644
--- a/lib/isc/include/isc/radix.h
+++ b/lib/isc/include/isc/radix.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: radix.h,v 1.5 2007/09/28 00:11:32 each Exp $ */
+/* $Id: radix.h,v 1.6 2008/01/17 08:08:08 each Exp $ */
 
 /*
  * This source was adapted from MRT's RCS Ids:
@@ -36,13 +36,18 @@
 
 #define NETADDR_TO_PREFIX_T(na,pt,bits) \
 	do { \
-	        memset(&(pt), 0, sizeof(pt)); \
-                if((bits) && (na) != NULL) { \
-		        memcpy(&(pt).add.sin, &(na)->type.in, ((bits)+7)/8); \
-		        (pt).bitlen = (bits); \
-		        (pt).family = (na)->family; \
-                } else \
-		        (pt).family = AF_INET; \
+		memset(&(pt), 0, sizeof(pt)); \
+		if((bits) && (na) != NULL) { \
+			(pt).family = (na)->family; \
+			(pt).bitlen = (bits); \
+			if ((pt).family == AF_INET6) { \
+				memcpy(&(pt).add.sin6, &(na)->type.in6, \
+				       ((bits)+7)/8); \
+			} else \
+				memcpy(&(pt).add.sin, &(na)->type.in, \
+				       ((bits)+7)/8); \
+		} else \
+			(pt).family = AF_INET; \
 		isc_refcount_init(&(pt).refcount, 0); \
 	} while(0)