Suppose that ndp->ni_pathlen == 0 and we use cnp->cn_pnbuf for keeping the symlink content and that linklen == MAXPATHLEN. cn_pnbuf has exactly MAXPATHLEN bytes length. This line would assign zero to one byte after the buffer end, isn't it ?

ni_pathlen includes the trailing nul byte, which is the reason the above modified calculation was wrong.

It comes from the *done parameter of copystr() / copyinstr(), with len=MAXPATHLEN (lines ~324-328). The manual page describes copyinstr():

The copyinstr() function copies a NUL-terminated string, at most len
bytes long, from user-space address uaddr to kernel-space address kaddr.
The number of bytes actually copied, including the terminating NUL, is
returned in *done (if done is non-NULL).

Therefore, I do not believe ni_pathlen can ever be zero. An empty string will have an ni_pathlen of 1.

Therefore, linklen is restricted to MAXPATHLEN-1 (instead of MAXPATHLEN-2) by the changed line, and there is no problem assigning to cn_pnbuf[linklen] on the line you have noted.