diff --git a/ChangeLog b/ChangeLog
index f854b76fa8..823dba958b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -41,6 +41,8 @@ Changes in version 0.2.1.7-alpha - 2008-10-xx
       prevent possible guess-the-streamid injection attacks from
       intermediate hops.  Fixes another case of bug 446. Based on patch
       from rovv.
+    - Avoid using a negative right-shift when comparing 32-bit
+      addresses.  Possible fix for bug 845 and bug 811.
 
 
 Changes in version 0.2.1.6-alpha - 2008-09-30
diff --git a/src/common/address.c b/src/common/address.c
index 2a2924a756..d6b64828c1 100644
--- a/src/common/address.c
+++ b/src/common/address.c
@@ -686,6 +686,8 @@ tor_addr_compare_masked(const tor_addr_t *addr1, const tor_addr_t *addr2,
       case AF_INET: {
         uint32_t a1 = ntohl(addr1->addr.in_addr.s_addr);
         uint32_t a2 = ntohl(addr2->addr.in_addr.s_addr);
+        if (mbits > 32)
+          mbits = 32;
         a1 >>= (32-mbits);
         a2 >>= (32-mbits);
         return (a1 < a2) ? -1 : (a1 == a2) ? 0 : 1;