calling vmemchr assumes that the memory isn't being changed by some other proc mapping the same page. if you find the NUL in one pass and then call strcpy or strlen on the pointer later, the other proc might have pulled the NUL in the interim.
there is a function in the kernel called validnamedup that both validates a string argument and at the same time makes an in-kernel-memory copy. it's the easiest safe way to handle strings passed to the kernel. namec uses it and luckily almost every string pointer passed to the kernel ends up being interpreted by namec. exec is an exception. when i was working on 9vx, i rewrote exec to remove crashes like this one as well as a handful of other bugs. the code is at http://code.swtch.com/vx32/src/tip/src/9vx/a/sysproc.c#cl-220 and could easily be dropped back into plan 9. russ
