2 files changed, 13 insertions, 7 deletions

diff --git a/sys/fs/nfsclient/nfs_clrpcops.c b/sys/fs/nfsclient/nfs_clrpcops.c
index 983eb8b9226f..b61218958550 100644
--- a/sys/fs/nfsclient/nfs_clrpcops.c
+++ b/sys/fs/nfsclient/nfs_clrpcops.c
@@ -5284,7 +5284,7 @@ nfsrpc_getdirpath(struct nfsmount *nmp, u_char *dirpath, struct ucred *cred,
 	struct nfsrv_descript nfsd;
 	struct nfsrv_descript *nd = &nfsd;
 	u_char *cp, *cp2, *fhp;
-	int error, cnt, len, setnil;
+	int error, cnt, i, len, setnil;
 	u_int32_t *opcntp;
 
 	nfscl_reqstart(nd, NFSPROC_PUTROOTFH, nmp, NULL, 0, &opcntp, NULL, 0,
@@ -5325,8 +5325,12 @@ nfsrpc_getdirpath(struct nfsmount *nmp, u_char *dirpath, struct ucred *cred,
 	if (error)
 		return (error);
 	if (nd->nd_repstat == 0) {
-		NFSM_DISSECT(tl, u_int32_t *, (3 + 2 * cnt) * NFSX_UNSIGNED);
-		tl += (2 + 2 * cnt);
+		NFSM_DISSECT(tl, uint32_t *, 3 * NFSX_UNSIGNED);
+		tl += 2;
+		for (i = 0; i < cnt; i++) {
+			NFSM_DISSECT(tl, uint32_t *, 2 * NFSX_UNSIGNED);
+			tl++;
+		}
 		if ((len = fxdr_unsigned(int, *tl)) <= 0 ||
 			len > NFSX_FHMAX) {
 			nd->nd_repstat = NFSERR_BADXDR;
@@ -9756,7 +9760,7 @@ nfsm_split(struct mbuf *mp, uint64_t xfer)
 		pgno++;
 	} while (pgno < m->m_epg_npgs);
 	if (pgno == m->m_epg_npgs)
-		panic("nfsm_split: eroneous ext_pgs mbuf");
+		panic("nfsm_split: erroneous ext_pgs mbuf");
 
 	m2 = mb_alloc_ext_pgs(M_WAITOK, mb_free_mext_pgs, 0);
 	m2->m_epg_flags |= EPG_FLAG_ANON;
diff --git a/sys/fs/nfsclient/nfs_clvfsops.c b/sys/fs/nfsclient/nfs_clvfsops.c
index 5ea7eab07632..212c88f28930 100644
--- a/sys/fs/nfsclient/nfs_clvfsops.c
+++ b/sys/fs/nfsclient/nfs_clvfsops.c
@@ -927,7 +927,7 @@ nfs_mount(struct mount *mp)
 	struct vnode *vp;
 	struct thread *td;
 	char *hst;
-	u_char nfh[NFSX_FHMAX], krbname[100], dirpath[100], srvkrbname[100];
+	u_char nfh[NFSX_FHMAX], krbname[100], *dirpath, srvkrbname[100];
 	char *cp, *opt, *name, *secname, *tlscertname;
 	int nametimeo = NFS_DEFAULT_NAMETIMEO;
 	int negnametimeo = NFS_DEFAULT_NEGNAMETIMEO;
@@ -943,6 +943,7 @@ nfs_mount(struct mount *mp)
 	newflag = 0;
 	tlscertname = NULL;
 	hst = malloc(MNAMELEN, M_TEMP, M_WAITOK);
+	dirpath = malloc(MNAMELEN, M_TEMP, M_WAITOK);
 	if (vfs_filteropt(mp->mnt_optnew, nfs_opts)) {
 		error = EINVAL;
 		goto out;
@@ -1329,7 +1330,7 @@ nfs_mount(struct mount *mp)
 			goto out;
 	} else if (nfs_mount_parse_from(mp->mnt_optnew,
 	    &args.hostname, (struct sockaddr_in **)&nam, dirpath,
-	    sizeof(dirpath), &dirlen) == 0) {
+	    MNAMELEN, &dirlen) == 0) {
 		has_nfs_from_opt = 1;
 		bcopy(args.hostname, hst, MNAMELEN);
 		hst[MNAMELEN - 1] = '\0';
@@ -1387,7 +1388,7 @@ nfs_mount(struct mount *mp)
 	if (has_nfs_from_opt == 0) {
 		if (vfs_getopt(mp->mnt_optnew,
 		    "dirpath", (void **)&name, NULL) == 0)
-			strlcpy(dirpath, name, sizeof (dirpath));
+			strlcpy(dirpath, name, MNAMELEN);
 		else
 			dirpath[0] = '\0';
 		dirlen = strlen(dirpath);
@@ -1472,6 +1473,7 @@ out:
 		MNT_IUNLOCK(mp);
 	}
 	free(hst, M_TEMP);
+	free(dirpath, M_TEMP);
 	return (error);
 }