OpenTTD

1) patch client
2) start server (with non-trivial map, so compressed savegame doesn't fit in two packets)
3) try to join with patched client

Every time client tries to join, a file descriptor will leak.

Relevant part of lsof output:
openttd 12555 smatz 19r REG 3,6 1642111 23558 /home/smatz/.openttd/save/autosave/network_server.tmp
openttd 12555 smatz 20r REG 3,3 1608618 147948 /usr/share/games/openttd/data/sample.cat
openttd 12555 smatz 21r REG 3,6 1642111 23558 /home/smatz/.openttd/save/autosave/network_server.tmp
openttd 12555 smatz 22r REG 3,6 1642111 23558 /home/smatz/.openttd/save/autosave/network_server.tmp
openttd 12555 smatz 23r REG 3,6 1642111 23558 /home/smatz/.openttd/save/autosave/network_server.tmp
openttd 12555 smatz 24r REG 3,6 1642111 23558 /home/smatz/.openttd/save/autosave/network_server.tmp

It can lead to DoS when we get out of file descriptors:
Crash reason:
Signal: Segmentation fault (11)
Message: <none>
...
Stacktrace:
[00] ./openttd(_ZNK12CrashLogUnix13LogStacktraceEPcPKc+0x39) [0x61a6b9]
[01] ./openttd(_ZNK8CrashLog12FillCrashLogEPcPKc+0xef) [0x5349ef]
[02] ./openttd(_ZNK8CrashLog12MakeCrashLogEv+0x5b) [0x534adb]
[03] ./openttd [0x61a5e6]
[04] /lib/libc.so.6 [0x2b4d02f700e0]
[05] /lib/libc.so.6(fseek+0x1) [0x2b4d02fa9281]
[06] ./openttd(_Z43NetworkPacketSend_PACKET_SERVER_MAP_commandP19NetworkClientSocket+0xee0) [0x5d34a0]
[07] ./openttd(_Z25NetworkServer_ReadPacketsP19NetworkClientSocket+0x7a) [0x5d0a9a]

On my system:
$ ulimit -n
1024

The server has to be unpassworded and client has to be able to start map download (as spectator, joining company, creating new company...)