1. Add IPv6 portrange restriction code (-U flag) to passive().

2. Add portrange restriction code (for both v4 and v6) to the EPSV
processing stuff.

1 files changed, 31 insertions, 0 deletions

diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c
index 7030a93..deea1b9 100644
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@@ -2345,6 +2345,16 @@ passive()
 		    goto pasv_error;
 	}
 #endif
+#ifdef IPV6_PORTRANGE
+	if (ctrl_addr.su_family == AF_INET6) {
+	    int on = restricted_data_ports ? IPV6_PORTRANGE_HIGH
+					   : IPV6_PORTRANGE_DEFAULT;
+
+	    if (setsockopt(pdata, IPPROTO_IPV6, IPV6_PORTRANGE,
+			    (char *)&on, sizeof(on)) < 0)
+		    goto pasv_error;
+	}
+#endif
 
 	pasv_addr = ctrl_addr;
 	pasv_addr.su_port = 0;
@@ -2438,6 +2448,27 @@ long_passive(cmd, pf)
 	pasv_addr.su_port = 0;
 	len = pasv_addr.su_len;
 
+#ifdef IP_PORTRANGE
+	if (ctrl_addr.su_family == AF_INET) {
+	    int on = restricted_data_ports ? IP_PORTRANGE_HIGH
+					   : IP_PORTRANGE_DEFAULT;
+
+	    if (setsockopt(pdata, IPPROTO_IP, IP_PORTRANGE,
+			    (char *)&on, sizeof(on)) < 0)
+		    goto pasv_error;
+	}
+#endif
+#ifdef IPV6_PORTRANGE
+	if (ctrl_addr.su_family == AF_INET6) {
+	    int on = restricted_data_ports ? IPV6_PORTRANGE_HIGH
+					   : IPV6_PORTRANGE_DEFAULT;
+
+	    if (setsockopt(pdata, IPPROTO_IPV6, IPV6_PORTRANGE,
+			    (char *)&on, sizeof(on)) < 0)
+		    goto pasv_error;
+	}
+#endif
+
 	if (bind(pdata, (struct sockaddr *)&pasv_addr, len) < 0)
 		goto pasv_error;