2 files changed, 4 insertions, 3 deletions

diff --git a/fs/cifs/CHANGES b/fs/cifs/CHANGES
index 73ac7ebd1dfc..1cfa72ef1f37 100644
--- a/fs/cifs/CHANGES
+++ b/fs/cifs/CHANGES
@@ -7,7 +7,8 @@ specified and user does not have access to query information about the
 top of the share.  Fix problem in 2.6.28 resolving DFS paths to
 Samba servers (worked to Windows).  Fix rmdir so that pending search
 (readdir) requests do not get invalid results which include the now
-removed directory.
+removed directory.  Fix oops in cifs_dfs_ref.c when prefixpath is not reachable
+when using DFS.
 
 Version 1.55
 ------------
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 5f22de7b79a9..b234407a3007 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -228,7 +228,7 @@ static int decode_unicode_ssetup(char **pbcc_area, int bleft,
 
         kfree(ses->serverOS);
         /* UTF-8 string will not grow more than four times as big as UCS-16 */
-        ses->serverOS = kzalloc(4 * len, GFP_KERNEL);
+        ses->serverOS = kzalloc((4 * len) + 2 /* trailing null */, GFP_KERNEL);
         if (ses->serverOS != NULL)
                 cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len, nls_cp);
         data += 2 * (len + 1);
@@ -241,7 +241,7 @@ static int decode_unicode_ssetup(char **pbcc_area, int bleft,
                 return rc;
 
         kfree(ses->serverNOS);
-        ses->serverNOS = kzalloc(4 * len, GFP_KERNEL); /* BB this is wrong length FIXME BB */
+        ses->serverNOS = kzalloc((4 * len) + 2 /* trailing null */, GFP_KERNEL);
         if (ses->serverNOS != NULL) {
                 cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,
                                    nls_cp);