Index: portal_vfsops.c =================================================================== RCS file: /cvs/openbsd/src/sys/miscfs/portal/portal_vfsops.c,v retrieving revision 1.22 diff -u -r1.22 portal_vfsops.c --- portal_vfsops.c 29 Oct 2007 15:38:00 -0000 1.22 +++ portal_vfsops.c 30 Oct 2008 01:06:34 -0000 @@ -57,6 +57,7 @@ #include #include #include +#include #include #define portal_init ((int (*)(struct vfsconf *))nullop) @@ -189,7 +190,7 @@ * Finally, throw away the portalmount structure */ free(mp->mnt_data, M_MISCFSMNT); - mp->mnt_data = 0; + mp->mnt_data = NULL; return (0); } @@ -220,6 +221,7 @@ sbp->f_bavail = 0; sbp->f_files = 1; /* Allow for "." */ sbp->f_ffree = 0; /* See comments above */ + sbp->f_namemax = MAXNAMLEN; if (sbp != &mp->mnt_stat) { bcopy(&mp->mnt_stat.f_fsid, &sbp->f_fsid, sizeof(sbp->f_fsid)); bcopy(mp->mnt_stat.f_mntonname, sbp->f_mntonname, MNAMELEN); Index: portal_vnops.c =================================================================== RCS file: /cvs/openbsd/src/sys/miscfs/portal/portal_vnops.c,v retrieving revision 1.27 diff -u -r1.27 portal_vnops.c --- portal_vnops.c 8 May 2008 17:45:45 -0000 1.27 +++ portal_vnops.c 30 Oct 2008 01:06:34 -0000 @@ -178,6 +178,7 @@ if (error) goto bad; fvp->v_type = VREG; + uvm_vnp_setsize(fvp, 0); fvp->v_data = malloc(sizeof(struct portalnode), M_TEMP, M_WAITOK); pt = VTOPORTAL(fvp); @@ -418,7 +419,11 @@ * than a single mbuf in it. What to do? */ cmsg = mtod(cm, struct cmsghdr *); - newfds = (cmsg->cmsg_len - sizeof(*cmsg)) / sizeof (int); + if (cmsg->cmsg_len < CMSG_LEN(0)) { + error = EMSGSIZE; + goto bad; + } + newfds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int); if (newfds == 0) { error = ECONNREFUSED; goto bad; @@ -429,7 +434,7 @@ * integer file descriptors. The fds were allocated by the action * of receiving the control message. */ - ip = (int *)(cmsg + 1); + ip = (int *) CMSG_DATA(cmsg); fd = *ip++; if (newfds > 1) { /*