From db106eff39dd33f99c280a9789ff7e751304987d Mon Sep 17 00:00:00 2001
From: "Andrey A. Chernov" <ache@FreeBSD.org>
Date: Thu, 23 Aug 2001 17:01:25 +0000
Subject: [PATCH] lseek: fix check for vattr.va_size overflow. Check suggested
 by bde simple not works with unsigned types.

---
 sys/kern/vfs_extattr.c  | 3 ++-
 sys/kern/vfs_syscalls.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c
index 78fff1570ad5..f6321a262640 100644
--- a/sys/kern/vfs_extattr.c
+++ b/sys/kern/vfs_extattr.c
@@ -1640,9 +1640,10 @@ lseek(p, uap)
 		error = VOP_GETATTR(vp, &vattr, cred, p);
 		if (error)
 			return (error);
+		/* 'vattr.va_size' is always >= 0 */
 		if (noneg &&
 		    ((offset > 0 && vattr.va_size > OFF_MAX - offset) ||
-		     (offset < 0 && vattr.va_size < OFF_MIN - offset)))
+		     (offset < 0 && vattr.va_size + offset > OFF_MAX)))
 			return (EOVERFLOW);
 		offset += vattr.va_size;
 		break;
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 78fff1570ad5..f6321a262640 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1640,9 +1640,10 @@ lseek(p, uap)
 		error = VOP_GETATTR(vp, &vattr, cred, p);
 		if (error)
 			return (error);
+		/* 'vattr.va_size' is always >= 0 */
 		if (noneg &&
 		    ((offset > 0 && vattr.va_size > OFF_MAX - offset) ||
-		     (offset < 0 && vattr.va_size < OFF_MIN - offset)))
+		     (offset < 0 && vattr.va_size + offset > OFF_MAX)))
 			return (EOVERFLOW);
 		offset += vattr.va_size;
 		break;