From owner-freebsd-hackers  Sun Sep 17 23:40:20 1995
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id XAA05374
          for hackers-outgoing; Sun, 17 Sep 1995 23:40:20 -0700
Received: (from julian@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id XAA05368
          for hackers; Sun, 17 Sep 1995 23:40:19 -0700
Date: Sun, 17 Sep 1995 23:40:19 -0700
From: Julian Elischer <julian>
Message-Id: <199509180640.XAA05368@freefall.freebsd.org>
To: hackers
Subject: why is this not a bug in namei?
Sender: owner-hackers@FreeBSD.org
Precedence: bulk


        if ((cnp->cn_flags & HASBUF) == 0)
                MALLOC(cnp->cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI, M_WAITOK);
[....]

        if (error) {
                free(cnp->cn_pnbuf, M_NAMEI);
                ndp->ni_vp = NULL;
                return (error);
[...]
                if (error) {
                        FREE(cnp->cn_pnbuf, M_NAMEI);
                        return (error);
[....] (and more confusingly)
                if ((cnp->cn_flags & ISSYMLINK) == 0) {
                        if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0)
                                FREE(cnp->cn_pnbuf, M_NAMEI);
                        else
                                cnp->cn_flags |= HASBUF;
                        return (0);
                }
[....]
        FREE(cnp->cn_pnbuf, M_NAMEI);
}                       

if HASBUF was set, we have freed something we didn't allocate..
(whenever we get an error, by the looks of it..)

luckily I can't actually see anywhere that HASBUF is used
(can anyone?) but it looks wrong to me...



julian