diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index baeda372cf5c0d70d552459945ccf6a0d90fdff4..ea2bd0a8984bb29a4ef537817ccf0361d9c5102a 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -494,6 +494,9 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
 		r->d[0] = (0-m->d[0])&BN_MASK2;
 		for(i=1;i<j;i++) r->d[i] = (~m->d[i])&BN_MASK2;
 		r->top = j;
+		/* Upper words will be zero if the corresponding words of 'm'
+		 * were 0xfff[...], so decrement r->top accordingly. */
+		bn_correct_top(r);
 		}
 	else
 #endif