This happens when there's only one component (e.g. "/foo"). This bug
has been present since June 6, 1990 when it was commited to mountd.c
SCCS version 5.9.
Looks fine to me too.
And I see that I can't blame Herb Hasler (the guy who wrote mountd.c when
he was working for me long ago. (Btw, I got email from Herb recently.
He'd doing fine, living in TN these days.)
So, just out of curiosity, did this actually cause a crash or was it detected by some debugging
in malloc() or ???
With CHERI (cheri-cpu.org) this causes a crash as pointers have hardware enforced bounds. This is pretty typical of the sort of long standing bug we're finding. I found a similar one in tcsh a few years ago where hitting <tab> on an empty command line read a byte before the beginning of a string.
I'll make cem's suggested change before commit.