diff --git a/appl/rsh/rsh.c b/appl/rsh/rsh.c
index 73bae8055..29c2ffba1 100644
--- a/appl/rsh/rsh.c
+++ b/appl/rsh/rsh.c
@@ -325,6 +325,10 @@ send_krb5_auth(int s,
 				  do_encrypt ? "-x " : "",
 				  cmd,
 				  remote_user);
+    if (cksum_data.length == -1) {
+	warnx ("%s: failed to allocate command", hostname);
+	return 1;
+    }
 
     ap_opts = 0;
 
diff --git a/appl/rsh/rshd.c b/appl/rsh/rshd.c
index c34b36fe8..def89bb12 100644
--- a/appl/rsh/rshd.c
+++ b/appl/rsh/rshd.c
@@ -376,6 +376,8 @@ recv_krb5_auth (int s, u_char *buf,
 				  ntohs(socket_get_port (thisaddr)),
 				  *cmd,
 				  *server_username);
+    if (cksum_data.length == -1)
+	syslog_and_die ("asprintf: out of memory");
 
     status = krb5_verify_authenticator_checksum(context, 
 						auth_context,
@@ -632,19 +634,25 @@ setup_environment (char ***env, const struct passwd *pwd)
     e = *env;
     e = realloc(e, (i + 7) * sizeof(char *));
 
-    asprintf (&e[i++], "USER=%s",  pwd->pw_name);
-    asprintf (&e[i++], "HOME=%s",  pwd->pw_dir);
-    asprintf (&e[i++], "SHELL=%s", pwd->pw_shell);
+    if (asprintf (&e[i++], "USER=%s",  pwd->pw_name) == -1)
+	syslog_and_die ("asprintf: out of memory");
+    if (asprintf (&e[i++], "HOME=%s",  pwd->pw_dir) == -1)
+	syslog_and_die ("asprintf: out of memory");
+    if (asprintf (&e[i++], "SHELL=%s", pwd->pw_shell) == -1)
+	syslog_and_die ("asprintf: out of memory");
     if (! path) {
-	asprintf (&e[i++], "PATH=%s",  _PATH_DEFPATH);
+	if (asprintf (&e[i++], "PATH=%s",  _PATH_DEFPATH) == -1)
+	    syslog_and_die ("asprintf: out of memory");
     }
     asprintf (&e[i++], "SSH_CLIENT=only_to_make_bash_happy");
 #if defined(DCE)
     if (getenv("KRB5CCNAME"))
-	asprintf (&e[i++], "KRB5CCNAME=%s",  getenv("KRB5CCNAME"));
+	if (asprintf (&e[i++], "KRB5CCNAME=%s",  getenv("KRB5CCNAME")) == -1)
+	    syslog_and_die ("asprintf: out of memory");
 #else
     if (do_unique_tkfile)
-	asprintf (&e[i++], "KRB5CCNAME=%s", tkfile);
+	if (asprintf (&e[i++], "KRB5CCNAME=%s", tkfile) == -1)
+	    syslog_and_die ("asprintf: out of memory");
 #endif
     e[i++] = NULL;
     *env = e;
diff --git a/appl/su/su.c b/appl/su/su.c
index 530869e06..a59ce25e9 100644
--- a/appl/su/su.c
+++ b/appl/su/su.c
@@ -248,8 +248,10 @@ krb5_start_session(void)
 
     ret = krb5_cc_copy_cache(context, ccache, ccache2);
 
-    asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2),
-	     krb5_cc_get_name(context, ccache2));
+    ret = asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2),
+		   krb5_cc_get_name(context, ccache2));
+    if (ret == -1)
+	errx(1, "malloc - out of memory");
     esetenv("KRB5CCNAME", cc_name, 1);
 
     /* we want to export this even if we don't directly support KRB4 */
@@ -299,9 +301,11 @@ krb_verify(const struct passwd *login_info,
        krb_kuserok(name, instance, realm, su_info->pw_name) == 0) {
 	char password[128];
 	char *prompt;
-	asprintf (&prompt, 
+	ret = asprintf (&prompt, 
 		  "%s's Password: ",
 		  krb_unparse_name_long (name, instance, realm));
+	if (ret == -1)
+	    return (1);
 	if (UI_UTIL_read_pw_string (password, sizeof (password), prompt, 0)) {
 	    memset (password, 0, sizeof (password));
 	    free(prompt);
@@ -515,9 +519,10 @@ main(int argc, char **argv)
 	if (args == NULL)
 	    err (1, "malloc");
 	i = 0;
-	if(full_login)
-	    asprintf(&args[i++], "-%s", p);
-	else
+	if(full_login) {
+	    if (asprintf(&args[i++], "-%s", p) == -1)
+		errx (1, "malloc");
+	} else
 	    args[i++] = p;
 	if (cmd) {
 	   args[i++] = "-c";