untrusted comment: verify with openbsd-77-base.pub
RWSbCCUoGpcxVRcOOkAhPJjnnbXsw8Xk+l1opiX1YM3rxxaGyImHyUc+ECov1wz2b9sTHki51p7iYKOLiFDxLExa+rmA0s6fMQM=

OpenBSD 7.7 errata 041, May 8, 2026:

Due to insufficient checks in NFS server, the kernel could crash.

Apply by doing:
    signify -Vep /etc/signify/openbsd-77-base.pub -x 041_nfs.patch.sig \
        -m - | (cd /usr/src && patch -p0)

And then rebuild and install a new kernel:
    KK=`sysctl -n kern.osversion | cut -d# -f1`
    cd /usr/src/sys/arch/`machine`/compile/$KK
    make obj
    make config
    make
    make install

Index: sys/nfs/nfs_serv.c
===================================================================
RCS file: /cvs/src/sys/nfs/nfs_serv.c,v
diff -u -p -u -r1.131.4.1 nfs_serv.c
--- sys/nfs/nfs_serv.c	4 May 2025 21:01:58 -0000	1.131.4.1
+++ sys/nfs/nfs_serv.c	5 May 2026 09:10:12 -0000
@@ -2427,17 +2427,24 @@ nfsrv_readdir(struct nfsrv_descript *nfs
 	}
 	off = toff;
 	cnt = fxdr_unsigned(int, *tl);
-	xfer = NFS_SRVMAXDATA(nfsd);
-	if (cnt > xfer || cnt < 0)
-		cnt = xfer;
-	siz = ((cnt + DIRBLKSIZ - 1) & ~(DIRBLKSIZ - 1));
-	if (siz > xfer)
-		siz = xfer;
-	fullsiz = siz;
-	error = nfsrv_fhtovp(fhp, 1, &vp, cred, slp, nam, &rdonly);
-	if (!error && vp->v_type != VDIR) {
-		error = ENOTDIR;
-		vput(vp);
+	if (cnt == 0) {
+		if (info.nmi_v3)
+			error = NFSERR_TOOSMALL;
+		else
+			error = EBADRPC;
+	} else {
+		xfer = NFS_SRVMAXDATA(nfsd);
+		if (cnt > xfer || cnt < 0)
+			cnt = xfer;
+		siz = ((cnt + DIRBLKSIZ - 1) & ~(DIRBLKSIZ - 1));
+		if (siz > xfer || siz <= 0)
+			siz = xfer;
+		fullsiz = siz;
+		error = nfsrv_fhtovp(fhp, 1, &vp, cred, slp, nam, &rdonly);
+		if (!error && vp->v_type != VDIR) {
+			error = ENOTDIR;
+			vput(vp);
+		}
 	}
 	if (error) {
 		if (nfsm_reply(&info, nfsd, slp, mrq, error,
@@ -2649,17 +2656,21 @@ nfsrv_readdirplus(struct nfsrv_descript 
 	tl += 2;
 	siz = fxdr_unsigned(int, *tl++);
 	cnt = fxdr_unsigned(int, *tl);
-	xfer = NFS_SRVMAXDATA(nfsd);
-	if (cnt > xfer || cnt < 0)
-		cnt = xfer;
-	siz = ((siz + DIRBLKSIZ - 1) & ~(DIRBLKSIZ - 1));
-	if (siz > xfer)
-		siz = xfer;
-	fullsiz = siz;
-	error = nfsrv_fhtovp(fhp, 1, &vp, cred, slp, nam, &rdonly);
-	if (!error && vp->v_type != VDIR) {
-		error = ENOTDIR;
-		vput(vp);
+	if (siz == 0 || cnt == 0) {
+		error = NFSERR_TOOSMALL;
+	} else {
+		xfer = NFS_SRVMAXDATA(nfsd);
+		if (cnt > xfer || cnt < 0)
+			cnt = xfer;
+		siz = ((siz + DIRBLKSIZ - 1) & ~(DIRBLKSIZ - 1));
+		if (siz > xfer || siz <= 0)
+			siz = xfer;
+		fullsiz = siz;
+		error = nfsrv_fhtovp(fhp, 1, &vp, cred, slp, nam, &rdonly);
+		if (!error && vp->v_type != VDIR) {
+			error = ENOTDIR;
+			vput(vp);
+		}
 	}
 	if (error) {
 		if (nfsm_reply(&info, nfsd, slp, mrq, error,