--- sys/fs/nfsclient/nfs_clrpcops.c.crash0	2021-11-25 15:10:54.460151000 -0800
+++ sys/fs/nfsclient/nfs_clrpcops.c	2021-11-25 15:21:19.214971000 -0800
@@ -5233,6 +5233,10 @@ nfsrpc_createsession(struct nfsmount *nmp, struct nfsc
 		sep->nfsess_foreslots = fxdr_unsigned(uint16_t, *tl++);
 		NFSCL_DEBUG(4, "fore slots=%d\n", (int)sep->nfsess_foreslots);
 		irdcnt = fxdr_unsigned(int, *tl);
+		if (irdcnt < 0 || irdcnt > 1) {
+			error = NFSERR_BADXDR;
+			goto nfsmout;
+		}
 		if (irdcnt > 0)
 			NFSM_DISSECT(tl, uint32_t *, irdcnt * NFSX_UNSIGNED);