commit - 86c2ab2caf5eb4742e7cd227e6d29fc1dc74d855
commit + 9e2f1d9bf4c3ce413953b17fa7605b49322d1ace
blob - 65bf23d0eeec5b0f00998ddfa280ed1347ad1ad5
blob + 81e4a653acbe2dd6881f9f6c7eee40d4587ccc77
--- src/cmd/9pserve.c
+++ src/cmd/9pserve.c
@@ -220,6 +220,8 @@ mainproc(void *v)
 		f.msize = msize;
 		f.tag = NOTAG;
 		n = convS2M(&f, vbuf, sizeof vbuf);
+		if(n <= BIT16SZ)
+			sysfatal("convS2M conversion error");
 		if(verbose > 1) fprint(2, "%T * <- %F\n", &f);
 		nn = write(1, vbuf, n);
 		if(n != nn)
@@ -290,8 +292,10 @@ send9pmsg(Msg *m)
 	n = sizeS2Mu(&m->rx, m->c->dotu);
 	m->rpkt = emalloc(n);
 	nn = convS2Mu(&m->rx, m->rpkt, n, m->c->dotu);
+	if(nn <= BIT16SZ)
+		sysfatal("convS2Mu conversion error");
 	if(nn != n)
-		sysfatal("sizeS2M + convS2M disagree");
+		sysfatal("sizeS2Mu and convS2Mu disagree");
 	sendq(m->c->outq, m);
 }
 
@@ -303,8 +307,10 @@ sendomsg(Msg *m)
 	n = sizeS2Mu(&m->tx, m->c->dotu);
 	m->tpkt = emalloc(n);
 	nn = convS2Mu(&m->tx, m->tpkt, n, m->c->dotu);
+	if(nn <= BIT16SZ)
+		sysfatal("convS2Mu conversion error");
 	if(nn != n)
-		sysfatal("sizeS2M + convS2M disagree");
+		sysfatal("sizeS2Mu and convS2Mu disagree");
 	sendq(outq, m);
 }
 
@@ -1280,7 +1286,11 @@ repack(Fcall *f, uchar **ppkt, int dotu)
 		pkt = emalloc(nn);
 		*ppkt = pkt;
 	}
-	convS2Mu(f, pkt, nn, dotu);	
+	n = convS2Mu(f, pkt, nn, dotu);	
+	if(n <= BIT16SZ)
+		sysfatal("convS2M conversion error");
+	if(n != nn)
+		sysfatal("convS2Mu and sizeS2Mu disagree");
 }
 
 void
@@ -1397,7 +1407,8 @@ cvtustat(Fcall *f, uchar **fpkt, int tounix)
 
 	n = sizeD2Mu(&dir, tounix);
 	buf = emalloc(n);
-	convD2Mu(&dir, f->stat, n, tounix);
+	if(convD2Mu(&dir, buf, n, tounix) != n)
+		sysfatal("convD2Mu conversion error");
 	f->nstat = n;
 	f->stat = buf;
 
blob - b82dee2e135a3eda2d032010a1bc04c2fd124c51
blob + 17d0903cbd11ca1120e0c3dd950e672e7084446b
--- src/cmd/vac/vacfs.c
+++ src/cmd/vac/vacfs.c
@@ -557,7 +557,8 @@ rclunk(Fid *f)
 	f->open = 0;
 	vtfree(f->user);
 	f->user = nil;
-	vacfiledecref(f->file);
+	if(f->file)
+		vacfiledecref(f->file);
 	f->file = nil;
 	dirBufFree(f->db);
 	f->db = nil;
@@ -847,7 +848,9 @@ io(void)
 		if(dflag)
 			fprint(2, "vacfs:->%F\n", &thdr);
 		n = convS2Mu(&thdr, mdata, messagesize, dotu);
-		if (err)
+		if(n <= BIT16SZ)
+			sysfatal("convS2Mu conversion error");
+		if(err)
 			vtfree(err);
 
 		if(write(mfd[1], mdata, n) != n)
blob - c004babc38b3efb8fd550eebb94e0621a1279f79
blob + b59d95b4143700c700f29936839ba2aefc98fcc0
--- src/lib9/convS2M.c
+++ src/lib9/convS2M.c
@@ -211,7 +211,7 @@ convS2Mu(Fcall *f, uchar *ap, uint nap, int dotu)
 	uchar *p;
 	uint i, size;
 
-	size = sizeS2M(f);
+	size = sizeS2Mu(f, dotu);
 	if(size == 0)
 		return 0;
 	if(size > nap)
blob - fef779d8c0cf69570abb5b7274288ebfd6d821e7
blob + 81980136d40ae2934e778d96d2d463efd930b185
--- src/lib9/fcallfmt.c
+++ src/lib9/fcallfmt.c
@@ -124,7 +124,7 @@ fcallfmt(Fmt *fmt)
 		break;
 	case Rstat:
 		p = seprint(buf, e, "Rstat tag %ud ", tag);
-		if(f->nstat > sizeof tmp)
+		if(f->stat == nil || f->nstat > sizeof tmp)
 			seprint(p, e, " stat(%d bytes)", f->nstat);
 		else{
 			d = (Dir*)tmp;
@@ -135,7 +135,7 @@ fcallfmt(Fmt *fmt)
 		break;
 	case Twstat:	/* 126 */
 		p = seprint(buf, e, "Twstat tag %ud fid %ud", tag, fid);
-		if(f->nstat > sizeof tmp)
+		if(f->stat == nil || f->nstat > sizeof tmp)
 			seprint(p, e, " stat(%d bytes)", f->nstat);
 		else{
 			d = (Dir*)tmp;