From e4227c0c213af23df005740fa8fcd1c0d818793e Mon Sep 17 00:00:00 2001
From: gordon <gordon@FreeBSD.org>
Date: Tue, 20 Aug 2019 17:51:32 +0000
Subject: [PATCH] Fix reference count overflow in mqueuefs.

Approved by:	so
Security:	FreeBSD-SA-19:24.mqueuefs
Security:	CVE-2019-5603
---
 sys/kern/uipc_mqueue.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/kern/uipc_mqueue.c b/sys/kern/uipc_mqueue.c
index 183e08692b8..6af6278cd87 100644
--- a/sys/kern/uipc_mqueue.c
+++ b/sys/kern/uipc_mqueue.c
@@ -2788,7 +2788,7 @@ freebsd32_kmq_timedsend(struct thread *td,
 	if (uap->abs_timeout != NULL) {
 		error = copyin(uap->abs_timeout, &ets32, sizeof(ets32));
 		if (error != 0)
-			return (error);
+			goto out;
 		CP(ets32, ets, tv_sec);
 		CP(ets32, ets, tv_nsec);
 		abs_timeout = &ets;
@@ -2797,6 +2797,7 @@ freebsd32_kmq_timedsend(struct thread *td,
 	waitok = !(fp->f_flag & O_NONBLOCK);
 	error = mqueue_send(mq, uap->msg_ptr, uap->msg_len,
 		uap->msg_prio, waitok, abs_timeout);
+out:
 	fdrop(fp, td);
 	return (error);
 }
-- 
2.45.0