From f0c093284d4f7194f359d79031d39ee661714057 Mon Sep 17 00:00:00 2001
From: Jacques Vidrine <nectar@FreeBSD.org>
Date: Mon, 6 Jan 2003 13:19:05 +0000
Subject: [PATCH] Correct file descriptor leaks in lseek and do_dup. The leak
 in lseek was introduced in vfs_syscalls.c revision 1.218. The leak in do_dup
 was introduced in kern_descrip.c revision 1.158.

Submitted by:	iedowse
---
 sys/kern/kern_descrip.c |  1 +
 sys/kern/vfs_extattr.c  | 23 +++++++++++++++--------
 sys/kern/vfs_syscalls.c | 23 +++++++++++++++--------
 3 files changed, 31 insertions(+), 16 deletions(-)

diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c
index bc14c610940..e5a211459aa 100644
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@@ -483,6 +483,7 @@ do_dup(td, type, old, new, retval)
 		error = fdalloc(td, new, &newfd);
 		if (error) {
 			FILEDESC_UNLOCK(fdp);
+			fdrop(fp, td);
 			return (error);
 		}
 	}
diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c
index e994c812418..5592bbcf881 100644
--- a/sys/kern/vfs_extattr.c
+++ b/sys/kern/vfs_extattr.c
@@ -1326,8 +1326,10 @@ lseek(td, uap)
 	case L_INCR:
 		if (noneg &&
 		    (fp->f_offset < 0 ||
-		     (offset > 0 && fp->f_offset > OFF_MAX - offset)))
-			return (EOVERFLOW);
+		    (offset > 0 && fp->f_offset > OFF_MAX - offset))) {
+			error = EOVERFLOW;
+			break;
+		}
 		offset += fp->f_offset;
 		break;
 	case L_XTND:
@@ -1335,21 +1337,26 @@ lseek(td, uap)
 		error = VOP_GETATTR(vp, &vattr, cred, td);
 		VOP_UNLOCK(vp, 0, td);
 		if (error)
-			return (error);
+			break;
 		if (noneg &&
 		    (vattr.va_size > OFF_MAX ||
-		     (offset > 0 && vattr.va_size > OFF_MAX - offset)))
-			return (EOVERFLOW);
+		    (offset > 0 && vattr.va_size > OFF_MAX - offset))) {
+			error = EOVERFLOW;
+			break;
+		}
 		offset += vattr.va_size;
 		break;
 	case L_SET:
 		break;
 	default:
+		error = EINVAL;
+	}
+	if (error == 0 && noneg && offset < 0)
+		error = EINVAL;
+	if (error != 0) {
 		fdrop(fp, td);
-		return (EINVAL);
+		return (error);
 	}
-	if (noneg && offset < 0)
-		return (EINVAL);
 	fp->f_offset = offset;
 	*(off_t *)(td->td_retval) = fp->f_offset;
 	fdrop(fp, td);
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index e994c812418..5592bbcf881 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1326,8 +1326,10 @@ lseek(td, uap)
 	case L_INCR:
 		if (noneg &&
 		    (fp->f_offset < 0 ||
-		     (offset > 0 && fp->f_offset > OFF_MAX - offset)))
-			return (EOVERFLOW);
+		    (offset > 0 && fp->f_offset > OFF_MAX - offset))) {
+			error = EOVERFLOW;
+			break;
+		}
 		offset += fp->f_offset;
 		break;
 	case L_XTND:
@@ -1335,21 +1337,26 @@ lseek(td, uap)
 		error = VOP_GETATTR(vp, &vattr, cred, td);
 		VOP_UNLOCK(vp, 0, td);
 		if (error)
-			return (error);
+			break;
 		if (noneg &&
 		    (vattr.va_size > OFF_MAX ||
-		     (offset > 0 && vattr.va_size > OFF_MAX - offset)))
-			return (EOVERFLOW);
+		    (offset > 0 && vattr.va_size > OFF_MAX - offset))) {
+			error = EOVERFLOW;
+			break;
+		}
 		offset += vattr.va_size;
 		break;
 	case L_SET:
 		break;
 	default:
+		error = EINVAL;
+	}
+	if (error == 0 && noneg && offset < 0)
+		error = EINVAL;
+	if (error != 0) {
 		fdrop(fp, td);
-		return (EINVAL);
+		return (error);
 	}
-	if (noneg && offset < 0)
-		return (EINVAL);
 	fp->f_offset = offset;
 	*(off_t *)(td->td_retval) = fp->f_offset;
 	fdrop(fp, td);
-- 
2.45.2