proftpd/patches/proftpd-1.3.0a-ipv6_cidr_warn.patch

# ipv6_cidr_warn.dpatch by Francesco Paolo Lovergine <frankie@debian.org>

diff -urNad proftpd-1.3.0~/modules/mod_core.c proftpd-1.3.0/modules/mod_core.c
--- proftpd-1.3.0~/modules/mod_core.c	2006-05-22 12:27:46.000000000 +0200
+++ proftpd-1.3.0/modules/mod_core.c	2006-05-22 12:38:53.000000000 +0200
@@ -1025,10 +1025,15 @@
     if (strcasecmp("all", *(cargv + 1)) == 0 ||
         strcasecmp("none", *(cargv + 1)) == 0) {
       pr_netacl_t *acl = pr_netacl_create(cmd->tmp_pool, *(cargv + 1));
+      if (!acl) {
+        CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "bad ACL definition '",
+          *(cargv + 1), "': ", strerror(errno), NULL));
+      }
 
-      if (pr_class_add_acl(acl) < 0)
+      if (pr_class_add_acl(acl) < 0) {
         CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "error adding rule '",
           *(cargv + 1), "': ", strerror(errno), NULL));
+      }
 
       cargc = 0;
     }
@@ -1043,18 +1048,24 @@
 
     while ((ent = get_token(&str, ",")) != NULL) {
       if (*ent) {
-       pr_netacl_t *acl;
+        pr_netacl_t *acl;
 
-       if (strcasecmp(ent, "all") == 0 ||
-           strcasecmp(ent, "none") == 0) {
-          cargc = 0;
-          break;
+        if (strcasecmp(ent, "all") == 0 ||
+            strcasecmp(ent, "none") == 0) {
+           cargc = 0;
+           break;
+         }
+
+        acl = pr_netacl_create(cmd->tmp_pool, ent);
+        if (!acl) {
+          CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "bad ACL definition '",
+            *(cargv + 1), "': ", strerror(errno), NULL));
         }
 
-       acl = pr_netacl_create(cmd->tmp_pool, ent);
-       if (pr_class_add_acl(acl) < 0)
-         CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "error adding rule '", ent,
-           "': ", strerror(errno), NULL));
+        if (pr_class_add_acl(acl) < 0) {
+          CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "error adding rule '", ent,
+            "': ", strerror(errno), NULL));
+        }
       }
     }
   }
@@ -2511,9 +2522,10 @@
         }
 
         acl = pr_netacl_create(c->pool, ent);
-        if (!acl)
-          CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "bad ACL definition: '",
+        if (!acl) {
+          CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "bad ACL definition '",
             ent, "': ", strerror(errno), NULL));     
+        }
 
         *((pr_netacl_t **) push_array(list)) = acl;
       }
diff -urNad proftpd-1.3.0~/src/netacl.c proftpd-1.3.0/src/netacl.c
--- proftpd-1.3.0~/src/netacl.c	2006-05-22 12:27:46.000000000 +0200
+++ proftpd-1.3.0/src/netacl.c	2006-05-22 12:38:53.000000000 +0200
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - FTP server daemon
- * Copyright (c) 2003 The ProFTPD Project team
+ * Copyright (c) 2003-2006 The ProFTPD Project team
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -172,15 +172,20 @@
 
 #ifdef PR_USE_IPV6
       case AF_INET6: {
-        /* Make sure that the given number of bits is not more than supported
-         * for IPv6 addresses (128).
-         */
         if (acl->masklen > 128) {
-          errno = EINVAL;
-          return NULL;
-        }
+           errno = EINVAL;
+           return NULL;
 
-        break;
+        } else if (pr_netaddr_is_v4mappedv6(acl->addr) == TRUE &&
+                   acl->masklen > 32) {
+
+          /* The admin may be trying to use IPv6-style masks on IPv4-mapped
+           * IPv6 addresses, which of course will not work as expected. 
+           * If the mask is 32 bits or more, warn the admin.
+           */
+          pr_log_pri(PR_LOG_WARNING, "warning: possibly using IPv6-style netmask on IPv4-mapped IPv6 address, which will not work as expected");
+          break;
+        }
       }
 #endif /* PR_USE_IPV6 */
 
diff -urNad proftpd-1.3.0~/src/netaddr.c proftpd-1.3.0/src/netaddr.c
--- proftpd-1.3.0~/src/netaddr.c	2005-09-19 23:35:38.000000000 +0200
+++ proftpd-1.3.0/src/netaddr.c	2006-05-22 12:38:53.000000000 +0200
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - FTP server daemon
- * Copyright (c) 2003-2005 The ProFTPD Project team
+ * Copyright (c) 2003-2006 The ProFTPD Project team
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -219,8 +219,7 @@
 }
 #endif /* !HAVE_INET_PTON */
 
-#ifdef HAVE_GETHOSTBYNAME2
-static void *get_v4inaddr(pr_netaddr_t *na) {
+static void *get_v4inaddr(const pr_netaddr_t *na) {
 
   /* This function is specifically for IPv4 clients (when gethostbyname2(2) is
    * present) that have an IPv4-mapped IPv6 address, when performing reverse
@@ -234,7 +233,6 @@
 
   return (((char *) pr_netaddr_get_inaddr(na)) + 12);
 }
-#endif /* HAVE_GETHOSTBYNAME2 */
 
 int pr_netaddr_set_reverse_dns(int enable) {
   int old_enable = reverse_dns;
@@ -652,6 +650,10 @@
 }
 
 int pr_netaddr_cmp(const pr_netaddr_t *na1, const pr_netaddr_t *na2) {
+  pool *tmp_pool = NULL;
+  pr_netaddr_t *a, *b;
+  int res;
+
   if (na1 && !na2)
     return 1;
 
@@ -662,29 +664,85 @@
     return 0;
 
   if (pr_netaddr_get_family(na1) != pr_netaddr_get_family(na2)) {
-    /* Cannot compare addresses from different families. */
-    errno = EINVAL;
-    return -1;
+
+    /* Cannot compare addresses from different families, unless one
+     * of the netaddrs has an AF_INET family, and the other has an
+     * AF_INET6 family AND is an IPv4-mapped IPv6 address.
+     */
+
+    if (pr_netaddr_is_v4mappedv6(na1) != TRUE &&
+        pr_netaddr_is_v4mappedv6(na2) != TRUE) {
+      errno = EINVAL;
+      return -1;
+    }
+
+    if (pr_netaddr_is_v4mappedv6(na1) == TRUE) {
+      tmp_pool = make_sub_pool(permanent_pool);
+
+      /* This case means that na1 is an IPv4-mapped IPv6 address, and
+       * na2 is an IPv4 address.
+       */
+      a = pr_netaddr_alloc(tmp_pool);
+      pr_netaddr_set_family(a, AF_INET);
+      pr_netaddr_set_port(a, pr_netaddr_get_port(na1));
+      memcpy(&a->na_addr.v4.sin_addr, get_v4inaddr(na1),
+        sizeof(struct in_addr));
+
+      b = (pr_netaddr_t *) na2;
+
+    } else if (pr_netaddr_is_v4mappedv6(na2) == TRUE) {
+      tmp_pool = make_sub_pool(permanent_pool);
+
+      /* This case means that na is an IPv4 address, and na2 is an
+       * IPv4-mapped IPv6 address.
+       */
+      a = (pr_netaddr_t *) na1;
+
+      b = pr_netaddr_alloc(tmp_pool);
+      pr_netaddr_set_family(b, AF_INET);
+      pr_netaddr_set_port(b, pr_netaddr_get_port(na2));
+      memcpy(&b->na_addr.v4.sin_addr, get_v4inaddr(na2),
+        sizeof(struct in_addr));
+
+    } else {
+      a = (pr_netaddr_t *) na1;
+      b = (pr_netaddr_t *) na2;
+    }
+
+  } else {
+    a = (pr_netaddr_t *) na1;
+    b = (pr_netaddr_t *) na2;
   }
 
-  switch (pr_netaddr_get_family(na1)) {
+  switch (pr_netaddr_get_family(a)) {
     case AF_INET:
-      return memcmp(&na1->na_addr.v4.sin_addr, &na2->na_addr.v4.sin_addr,
+      res = memcmp(&a->na_addr.v4.sin_addr, &b->na_addr.v4.sin_addr,
         sizeof(struct in_addr));
+      if (tmp_pool)
+        destroy_pool(tmp_pool);
+      return res;
 
 #ifdef PR_USE_IPV6
     case AF_INET6:
-      return memcmp(&na1->na_addr.v6.sin6_addr, &na2->na_addr.v6.sin6_addr,
+      res = memcmp(&a->na_addr.v6.sin6_addr, &b->na_addr.v6.sin6_addr,
         sizeof(struct in6_addr));
+      if (tmp_pool);
+        destroy_pool(tmp_pool);
+      return res;
 #endif /* PR_USE_IPV6 */
   }
 
+  if (tmp_pool)
+    destroy_pool(tmp_pool);
+
   errno = EPERM;
   return -1;
 }
 
 int pr_netaddr_ncmp(const pr_netaddr_t *na1, const pr_netaddr_t *na2,
     unsigned int bitlen) {
+  pool *tmp_pool = NULL;
+  pr_netaddr_t *a, *b;
   unsigned int nbytes, nbits;
   const unsigned char *in1, *in2;
 
@@ -698,12 +756,57 @@
     return 0;
 
   if (pr_netaddr_get_family(na1) != pr_netaddr_get_family(na2)) {
-    /* Cannot compare addresses from different families. */
-    errno = EINVAL;
-    return -1;
+
+    /* Cannot compare addresses from different families, unless one
+     * of the netaddrs has an AF_INET family, and the other has an
+     * AF_INET6 family AND is an IPv4-mapped IPv6 address.
+     */
+
+    if (pr_netaddr_is_v4mappedv6(na1) != TRUE &&
+        pr_netaddr_is_v4mappedv6(na2) != TRUE) {
+      errno = EINVAL;
+      return -1;
+    }
+
+    if (pr_netaddr_is_v4mappedv6(na1) == TRUE) {
+      tmp_pool = make_sub_pool(permanent_pool);
+
+      /* This case means that na1 is an IPv4-mapped IPv6 address, and
+       * na2 is an IPv4 address.
+       */
+      a = pr_netaddr_alloc(tmp_pool);
+      pr_netaddr_set_family(a, AF_INET);
+      pr_netaddr_set_port(a, pr_netaddr_get_port(na1));
+      memcpy(&a->na_addr.v4.sin_addr, get_v4inaddr(na1),
+        sizeof(struct in_addr));
+
+      b = (pr_netaddr_t *) na2;
+
+    } else if (pr_netaddr_is_v4mappedv6(na2) == TRUE) {
+      tmp_pool = make_sub_pool(permanent_pool);
+
+      /* This case means that na is an IPv4 address, and na2 is an
+       * IPv4-mapped IPv6 address.
+       */
+      a = (pr_netaddr_t *) na1;
+
+      b = pr_netaddr_alloc(tmp_pool);
+      pr_netaddr_set_family(b, AF_INET);
+      pr_netaddr_set_port(b, pr_netaddr_get_port(na2));
+      memcpy(&b->na_addr.v4.sin_addr, get_v4inaddr(na2),
+        sizeof(struct in_addr));
+
+    } else {
+      a = (pr_netaddr_t *) na1;
+      b = (pr_netaddr_t *) na2;
+    }
+
+  } else {
+    a = (pr_netaddr_t *) na1;
+    b = (pr_netaddr_t *) na2;
   }
 
-  switch (pr_netaddr_get_family(na1)) {
+  switch (pr_netaddr_get_family(a)) {
     case AF_INET: {
       /* Make sure that the given number of bits is not more than supported
        * for IPv4 addresses (32).
@@ -736,8 +839,8 @@
   }
 
   /* Retrieve pointers to the contained in_addrs. */
-  in1 = (const unsigned char *) pr_netaddr_get_inaddr(na1);
-  in2 = (const unsigned char *) pr_netaddr_get_inaddr(na2);
+  in1 = (const unsigned char *) pr_netaddr_get_inaddr(a);
+  in2 = (const unsigned char *) pr_netaddr_get_inaddr(b);
 
   /* Determine the number of bytes, and leftover bits, in the given
    * bit length.
@@ -750,8 +853,12 @@
     int res = memcmp(in1, in2, nbytes);
 
     /* No need to continue comparing the addresses if they differ already. */
-    if (res != 0)
+    if (res != 0) {
+      if (tmp_pool)
+        destroy_pool(tmp_pool);
+
       return res;
+    }
   }
 
   /* Next, compare the remaining bits in the addresses. */
@@ -765,13 +872,22 @@
     /* Build up a mask covering the bits left to be checked. */
     mask = (0xff << (8 - nbits)) & 0xff;
 
-    if ((in1byte & mask) > (in2byte & mask))
+    if ((in1byte & mask) > (in2byte & mask)) {
+      if (tmp_pool)
+        destroy_pool(tmp_pool);
       return 1;
+    }
 
-    if ((in1byte & mask) < (in2byte & mask))
+    if ((in1byte & mask) < (in2byte & mask)) {
+      if (tmp_pool)
+        destroy_pool(tmp_pool);
       return -1;
+    }
   }
 
+  if (tmp_pool)
+    destroy_pool(tmp_pool);
+
   /* If we've made it this far, the addresses match, for the given bit
    * length.
    */
1	# ipv6_cidr_warn.dpatch by Francesco Paolo Lovergine <frankie@debian.org>
2
3	diff -urNad proftpd-1.3.0~/modules/mod_core.c proftpd-1.3.0/modules/mod_core.c
4	--- proftpd-1.3.0~/modules/mod_core.c 2006-05-22 12:27:46.000000000 +0200
5	+++ proftpd-1.3.0/modules/mod_core.c 2006-05-22 12:38:53.000000000 +0200
6	@@ -1025,10 +1025,15 @@
7	if (strcasecmp("all", *(cargv + 1)) == 0 \|\|
8	strcasecmp("none", *(cargv + 1)) == 0) {
9	pr_netacl_t acl = pr_netacl_create(cmd->tmp_pool, (cargv + 1));
10	+ if (!acl) {
11	+ CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "bad ACL definition '",
12	+ *(cargv + 1), "': ", strerror(errno), NULL));
13	+ }
14
15	- if (pr_class_add_acl(acl) < 0)
16	+ if (pr_class_add_acl(acl) < 0) {
17	CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "error adding rule '",
18	*(cargv + 1), "': ", strerror(errno), NULL));
19	+ }
20
21	cargc = 0;
22	}
23	@@ -1043,18 +1048,24 @@
24
25	while ((ent = get_token(&str, ",")) != NULL) {
26	if (*ent) {
27	- pr_netacl_t *acl;
28	+ pr_netacl_t *acl;
29
30	- if (strcasecmp(ent, "all") == 0 \|\|
31	- strcasecmp(ent, "none") == 0) {
32	- cargc = 0;
33	- break;
34	+ if (strcasecmp(ent, "all") == 0 \|\|
35	+ strcasecmp(ent, "none") == 0) {
36	+ cargc = 0;
37	+ break;
38	+ }
39	+
40	+ acl = pr_netacl_create(cmd->tmp_pool, ent);
41	+ if (!acl) {
42	+ CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "bad ACL definition '",
43	+ *(cargv + 1), "': ", strerror(errno), NULL));
44	}
45
46	- acl = pr_netacl_create(cmd->tmp_pool, ent);
47	- if (pr_class_add_acl(acl) < 0)
48	- CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "error adding rule '", ent,
49	- "': ", strerror(errno), NULL));
50	+ if (pr_class_add_acl(acl) < 0) {
51	+ CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "error adding rule '", ent,
52	+ "': ", strerror(errno), NULL));
53	+ }
54	}
55	}
56	}
57	@@ -2511,9 +2522,10 @@
58	}
59
60	acl = pr_netacl_create(c->pool, ent);
61	- if (!acl)
62	- CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "bad ACL definition: '",
63	+ if (!acl) {
64	+ CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, "bad ACL definition '",
65	ent, "': ", strerror(errno), NULL));
66	+ }
67
68	((pr_netacl_t *) push_array(list)) = acl;
69	}
70	diff -urNad proftpd-1.3.0~/src/netacl.c proftpd-1.3.0/src/netacl.c
71	--- proftpd-1.3.0~/src/netacl.c 2006-05-22 12:27:46.000000000 +0200
72	+++ proftpd-1.3.0/src/netacl.c 2006-05-22 12:38:53.000000000 +0200
73	@@ -1,6 +1,6 @@
74	/*
75	* ProFTPD - FTP server daemon
76	- * Copyright (c) 2003 The ProFTPD Project team
77	+ * Copyright (c) 2003-2006 The ProFTPD Project team
78	*
79	* This program is free software; you can redistribute it and/or modify
80	* it under the terms of the GNU General Public License as published by
81	@@ -172,15 +172,20 @@
82
83	#ifdef PR_USE_IPV6
84	case AF_INET6: {
85	- /* Make sure that the given number of bits is not more than supported
86	- * for IPv6 addresses (128).
87	- */
88	if (acl->masklen > 128) {
89	- errno = EINVAL;
90	- return NULL;
91	- }
92	+ errno = EINVAL;
93	+ return NULL;
94
95	- break;
96	+ } else if (pr_netaddr_is_v4mappedv6(acl->addr) == TRUE &&
97	+ acl->masklen > 32) {
98	+
99	+ /* The admin may be trying to use IPv6-style masks on IPv4-mapped
100	+ * IPv6 addresses, which of course will not work as expected.
101	+ * If the mask is 32 bits or more, warn the admin.
102	+ */
103	+ pr_log_pri(PR_LOG_WARNING, "warning: possibly using IPv6-style netmask on IPv4-mapped IPv6 address, which will not work as expected");
104	+ break;
105	+ }
106	}
107	#endif /* PR_USE_IPV6 */
108
109	diff -urNad proftpd-1.3.0~/src/netaddr.c proftpd-1.3.0/src/netaddr.c
110	--- proftpd-1.3.0~/src/netaddr.c 2005-09-19 23:35:38.000000000 +0200
111	+++ proftpd-1.3.0/src/netaddr.c 2006-05-22 12:38:53.000000000 +0200
112	@@ -1,6 +1,6 @@
113	/*
114	* ProFTPD - FTP server daemon
115	- * Copyright (c) 2003-2005 The ProFTPD Project team
116	+ * Copyright (c) 2003-2006 The ProFTPD Project team
117	*
118	* This program is free software; you can redistribute it and/or modify
119	* it under the terms of the GNU General Public License as published by
120	@@ -219,8 +219,7 @@
121	}
122	#endif /* !HAVE_INET_PTON */
123
124	-#ifdef HAVE_GETHOSTBYNAME2
125	-static void get_v4inaddr(pr_netaddr_t na) {
126	+static void get_v4inaddr(const pr_netaddr_t na) {
127
128	/* This function is specifically for IPv4 clients (when gethostbyname2(2) is
129	* present) that have an IPv4-mapped IPv6 address, when performing reverse
130	@@ -234,7 +233,6 @@
131
132	return (((char *) pr_netaddr_get_inaddr(na)) + 12);
133	}
134	-#endif /* HAVE_GETHOSTBYNAME2 */
135
136	int pr_netaddr_set_reverse_dns(int enable) {
137	int old_enable = reverse_dns;
138	@@ -652,6 +650,10 @@
139	}
140
141	int pr_netaddr_cmp(const pr_netaddr_t na1, const pr_netaddr_t na2) {
142	+ pool *tmp_pool = NULL;
143	+ pr_netaddr_t a, b;
144	+ int res;
145	+
146	if (na1 && !na2)
147	return 1;
148
149	@@ -662,29 +664,85 @@
150	return 0;
151
152	if (pr_netaddr_get_family(na1) != pr_netaddr_get_family(na2)) {
153	- /* Cannot compare addresses from different families. */
154	- errno = EINVAL;
155	- return -1;
156	+
157	+ /* Cannot compare addresses from different families, unless one
158	+ * of the netaddrs has an AF_INET family, and the other has an
159	+ * AF_INET6 family AND is an IPv4-mapped IPv6 address.
160	+ */
161	+
162	+ if (pr_netaddr_is_v4mappedv6(na1) != TRUE &&
163	+ pr_netaddr_is_v4mappedv6(na2) != TRUE) {
164	+ errno = EINVAL;
165	+ return -1;
166	+ }
167	+
168	+ if (pr_netaddr_is_v4mappedv6(na1) == TRUE) {
169	+ tmp_pool = make_sub_pool(permanent_pool);
170	+
171	+ /* This case means that na1 is an IPv4-mapped IPv6 address, and
172	+ * na2 is an IPv4 address.
173	+ */
174	+ a = pr_netaddr_alloc(tmp_pool);
175	+ pr_netaddr_set_family(a, AF_INET);
176	+ pr_netaddr_set_port(a, pr_netaddr_get_port(na1));
177	+ memcpy(&a->na_addr.v4.sin_addr, get_v4inaddr(na1),
178	+ sizeof(struct in_addr));
179	+
180	+ b = (pr_netaddr_t *) na2;
181	+
182	+ } else if (pr_netaddr_is_v4mappedv6(na2) == TRUE) {
183	+ tmp_pool = make_sub_pool(permanent_pool);
184	+
185	+ /* This case means that na is an IPv4 address, and na2 is an
186	+ * IPv4-mapped IPv6 address.
187	+ */
188	+ a = (pr_netaddr_t *) na1;
189	+
190	+ b = pr_netaddr_alloc(tmp_pool);
191	+ pr_netaddr_set_family(b, AF_INET);
192	+ pr_netaddr_set_port(b, pr_netaddr_get_port(na2));
193	+ memcpy(&b->na_addr.v4.sin_addr, get_v4inaddr(na2),
194	+ sizeof(struct in_addr));
195	+
196	+ } else {
197	+ a = (pr_netaddr_t *) na1;
198	+ b = (pr_netaddr_t *) na2;
199	+ }
200	+
201	+ } else {
202	+ a = (pr_netaddr_t *) na1;
203	+ b = (pr_netaddr_t *) na2;
204	}
205
206	- switch (pr_netaddr_get_family(na1)) {
207	+ switch (pr_netaddr_get_family(a)) {
208	case AF_INET:
209	- return memcmp(&na1->na_addr.v4.sin_addr, &na2->na_addr.v4.sin_addr,
210	+ res = memcmp(&a->na_addr.v4.sin_addr, &b->na_addr.v4.sin_addr,
211	sizeof(struct in_addr));
212	+ if (tmp_pool)
213	+ destroy_pool(tmp_pool);
214	+ return res;
215
216	#ifdef PR_USE_IPV6
217	case AF_INET6:
218	- return memcmp(&na1->na_addr.v6.sin6_addr, &na2->na_addr.v6.sin6_addr,
219	+ res = memcmp(&a->na_addr.v6.sin6_addr, &b->na_addr.v6.sin6_addr,
220	sizeof(struct in6_addr));
221	+ if (tmp_pool);
222	+ destroy_pool(tmp_pool);
223	+ return res;
224	#endif /* PR_USE_IPV6 */
225	}
226
227	+ if (tmp_pool)
228	+ destroy_pool(tmp_pool);
229	+
230	errno = EPERM;
231	return -1;
232	}
233
234	int pr_netaddr_ncmp(const pr_netaddr_t na1, const pr_netaddr_t na2,
235	unsigned int bitlen) {
236	+ pool *tmp_pool = NULL;
237	+ pr_netaddr_t a, b;
238	unsigned int nbytes, nbits;
239	const unsigned char in1, in2;
240
241	@@ -698,12 +756,57 @@
242	return 0;
243
244	if (pr_netaddr_get_family(na1) != pr_netaddr_get_family(na2)) {
245	- /* Cannot compare addresses from different families. */
246	- errno = EINVAL;
247	- return -1;
248	+
249	+ /* Cannot compare addresses from different families, unless one
250	+ * of the netaddrs has an AF_INET family, and the other has an
251	+ * AF_INET6 family AND is an IPv4-mapped IPv6 address.
252	+ */
253	+
254	+ if (pr_netaddr_is_v4mappedv6(na1) != TRUE &&
255	+ pr_netaddr_is_v4mappedv6(na2) != TRUE) {
256	+ errno = EINVAL;
257	+ return -1;
258	+ }
259	+
260	+ if (pr_netaddr_is_v4mappedv6(na1) == TRUE) {
261	+ tmp_pool = make_sub_pool(permanent_pool);
262	+
263	+ /* This case means that na1 is an IPv4-mapped IPv6 address, and
264	+ * na2 is an IPv4 address.
265	+ */
266	+ a = pr_netaddr_alloc(tmp_pool);
267	+ pr_netaddr_set_family(a, AF_INET);
268	+ pr_netaddr_set_port(a, pr_netaddr_get_port(na1));
269	+ memcpy(&a->na_addr.v4.sin_addr, get_v4inaddr(na1),
270	+ sizeof(struct in_addr));
271	+
272	+ b = (pr_netaddr_t *) na2;
273	+
274	+ } else if (pr_netaddr_is_v4mappedv6(na2) == TRUE) {
275	+ tmp_pool = make_sub_pool(permanent_pool);
276	+
277	+ /* This case means that na is an IPv4 address, and na2 is an
278	+ * IPv4-mapped IPv6 address.
279	+ */
280	+ a = (pr_netaddr_t *) na1;
281	+
282	+ b = pr_netaddr_alloc(tmp_pool);
283	+ pr_netaddr_set_family(b, AF_INET);
284	+ pr_netaddr_set_port(b, pr_netaddr_get_port(na2));
285	+ memcpy(&b->na_addr.v4.sin_addr, get_v4inaddr(na2),
286	+ sizeof(struct in_addr));
287	+
288	+ } else {
289	+ a = (pr_netaddr_t *) na1;
290	+ b = (pr_netaddr_t *) na2;
291	+ }
292	+
293	+ } else {
294	+ a = (pr_netaddr_t *) na1;
295	+ b = (pr_netaddr_t *) na2;
296	}
297
298	- switch (pr_netaddr_get_family(na1)) {
299	+ switch (pr_netaddr_get_family(a)) {
300	case AF_INET: {
301	/* Make sure that the given number of bits is not more than supported
302	* for IPv4 addresses (32).
303	@@ -736,8 +839,8 @@
304	}
305
306	/* Retrieve pointers to the contained in_addrs. */
307	- in1 = (const unsigned char *) pr_netaddr_get_inaddr(na1);
308	- in2 = (const unsigned char *) pr_netaddr_get_inaddr(na2);
309	+ in1 = (const unsigned char *) pr_netaddr_get_inaddr(a);
310	+ in2 = (const unsigned char *) pr_netaddr_get_inaddr(b);
311
312	/* Determine the number of bytes, and leftover bits, in the given
313	* bit length.
314	@@ -750,8 +853,12 @@
315	int res = memcmp(in1, in2, nbytes);
316
317	/* No need to continue comparing the addresses if they differ already. */
318	- if (res != 0)
319	+ if (res != 0) {
320	+ if (tmp_pool)
321	+ destroy_pool(tmp_pool);
322	+
323	return res;
324	+ }
325	}
326
327	/* Next, compare the remaining bits in the addresses. */
328	@@ -765,13 +872,22 @@
329	/* Build up a mask covering the bits left to be checked. */
330	mask = (0xff << (8 - nbits)) & 0xff;
331
332	- if ((in1byte & mask) > (in2byte & mask))
333	+ if ((in1byte & mask) > (in2byte & mask)) {
334	+ if (tmp_pool)
335	+ destroy_pool(tmp_pool);
336	return 1;
337	+ }
338
339	- if ((in1byte & mask) < (in2byte & mask))
340	+ if ((in1byte & mask) < (in2byte & mask)) {
341	+ if (tmp_pool)
342	+ destroy_pool(tmp_pool);
343	return -1;
344	+ }
345	}
346
347	+ if (tmp_pool)
348	+ destroy_pool(tmp_pool);
349	+
350	/* If we've made it this far, the addresses match, for the given bit
351	* length.
352	*/