I was looking through the code and came across this.  In 
/usr/src/sys/kern/vfs_cache.c, the function cache_lookup() looks
like this:

int
cache_lookup(dvp, vpp, cnp)
        struct vnode *dvp;
        struct vnode **vpp;
        struct componentname *cnp;
{
        register struct namecache *ncp;
        register struct nchashhead *ncpp;

        if (!doingcache) {
                cnp->cn_flags &= ~MAKEENTRY;
                return (0);
        }
        if (cnp->cn_namelen > NCHNAMLEN) {
                nchstats.ncs_long++;
                cnp->cn_flags &= ~MAKEENTRY;
                return (0);
        }

If the name of the component we're looking up is too long, the lookup fails.
The code for cache_enter(), however, looks like this:

void
cache_enter(dvp, vp, cnp)
        struct vnode *dvp;
        struct vnode *vp;
        struct componentname *cnp;
{
        register struct namecache *ncp;
        register struct nchashhead *ncpp;

#ifdef DIAGNOSTIC
        if (cnp->cn_namelen > NCHNAMLEN)
                panic("cache_enter: name too long");
#endif

[Stuff deleted]

        /* fill in cache info */
        ncp->nc_dvp = dvp;
        ncp->nc_dvpid = dvp->v_id;
        ncp->nc_nlen = cnp->cn_namelen;
        bcopy(cnp->cn_nameptr, ncp->nc_name, (unsigned)ncp->nc_nlen);

There isn't a check on cnp->cn_namelen.  Am I missing something, or are
things being put into the cache that a lookup will never see?  Apparently
someone else has noticed the problem, but is it just that this is never a 
problem?  It seems that there's potential for problems, especially because
ncp->nc_name is a fixed-size array.

Chad Mynhier <mynhier@cs.utk.edu>
Lab Engineer, CS Department        
University of Tennessee, Knoxville