From owner-freebsd-current  Wed Sep 13 01:09:47 1995
Return-Path: current-owner
Received: (from majordom@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id BAA12342
          for current-outgoing; Wed, 13 Sep 1995 01:09:47 -0700
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.34])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id BAA12336
          for <current@freebsd.org>; Wed, 13 Sep 1995 01:09:38 -0700
Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.9/8.6.9) id SAA29848; Wed, 13 Sep 1995 18:01:01 +1000
Date: Wed, 13 Sep 1995 18:01:01 +1000
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199509130801.SAA29848@godzilla.zeta.org.au>
To: current@freebsd.org, terry@lambert.org
Subject: Re: BAD BUG IN UFS RENAME
Sender: current-owner@freebsd.org
Precedence: bulk

>Well, I've discovered some very interesting brain damage.

>In the case of an attemped cross-device rename, both NAMEI buffers are
>freed twice.

>In the case of a rename of a->b where a + b have the same inode numbers
>but not the same name, the, the from buffer is freed twice.

Also in the case of renaming "." or ".." in msdosfs if the code that
handles this is reachable.

>The code of interest for this bungle is in:

>	kern/vfs_syscalls.c (rename)
>	ufs/ufs/ufs_vnops.c (ufs_rename)

Also

	msdosfs/msdosfs_vnops.c (msdosfs_rename)
	miscfs/devfs/devfs_vnops.c udevfs_rename)

Bruce