From 277ebca61009ac6618cd598aa81a9cf5f2b245f7 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 20 Sep 2025 14:45:47 +0200
Subject: [PATCH] ftp: fix port number range loop for PORT commands

If the last port to test is 65535, the loop would previously wrongly
wrap the counter and start over at 0, which was not intended.

Reported in Joshua's sarif data

Closes #18636
---
 lib/ftp.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/lib/ftp.c b/lib/ftp.c
index 6a33b6723c..1e2cd4d3cf 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -1121,14 +1121,16 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data,
     else
       break;
 
+    /* check if port is the maximum value here, because it might be 0xffff and
+       then the increment below will wrap the 16 bit counter */
+    if(port == port_max) {
+      /* maybe all ports were in use already */
+      failf(data, "bind() failed, ran out of ports");
+      goto out;
+    }
     port++;
   }
 
-  /* maybe all ports were in use already */
-  if(port > port_max) {
-    failf(data, "bind() failed, we ran out of ports");
-    goto out;
-  }
 
   /* get the name again after the bind() so that we can extract the
      port number it uses now */