Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix issues.

We turn on a few extra warnings and fix the fallout that occurs
when building with --enable-developer.  Note that we get different
warnings on different machines and so this will be a work in
progress.  So far, we have built on NetBSD/amd64 5.99.64 (which
uses gcc 4.5.3) and Ubuntu 10.04.3 LTS (which uses gcc 4.4.3).

Notably, we fixed

	1.  a lot of missing structure initialisers,

	2.  unchecked return values for functions that glibc
	    marks as __attribute__((warn-unused-result)),

	3.  made minor modifications to slc and asn1_compile
	    which can generate code which generates warnings,
	    and

	4.  a few stragglers here and there.

We turned off the extended warnings for many programs in appl/ as
they are nearing the end of their useful lifetime, e.g.  rsh, rcp,
popper, ftp and telnet.

Interestingly, glibc's strncmp() macro needed to be worked around
whereas the function calls did not.

We have not yet tried this on 32 bit platforms, so there will be
a few more warnings when we do.

appl/afsutil/afslog.c

@@ -61,15 +61,16 @@ struct getargs args[] = {
     { "cell",	'c', arg_strings, &cells, "cells to get tokens for", "cell" },
     { "file",	'p', arg_strings, &files, "files to get tokens for", "path" },
     { "realm",	'k', arg_string, &realm, "realm for afs cell", "realm" },
-    { "unlog",	'u', arg_flag, &unlog_flag, "remove tokens" },
+    { "unlog",	'u', arg_flag, &unlog_flag, "remove tokens", NULL },
 #ifdef KRB5
     { "principal",'P',arg_string,&client_string,"principal to use","principal"},
     { "cache",   0,  arg_string, &cache_string, "ccache to use", "cache"},
-    { "v5",	 0,  arg_negative_flag, &use_krb5, "don't use Kerberos 5" },
+    { "v5",	 0,  arg_negative_flag, &use_krb5, "don't use Kerberos 5",
+      NULL },
 #endif
-    { "verbose",'v', arg_flag, &verbose },
-    { "version", 0,  arg_flag, &version_flag },
-    { "help",	'h', arg_flag, &help_flag },
+    { "verbose",'v', arg_flag, &verbose, NULL, NULL },
+    { "version", 0,  arg_flag, &version_flag, NULL, NULL },
+    { "help",	'h', arg_flag, &help_flag, NULL, NULL },
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);

appl/afsutil/pagsh.c

@@ -73,12 +73,12 @@ static char *typename_arg;
 #endif
 
 struct getargs getargs[] = {
-    { NULL,	'c', arg_flag, &c_flag },
+    { NULL,	'c', arg_flag, &c_flag, NULL, NULL },
 #ifdef KRB5
-    { "cache-type", 0,  arg_string, &typename_arg },
+    { "cache-type", 0,  arg_string, &typename_arg, NULL, NULL },
 #endif
-    { "version", 0,  arg_flag, &version_flag },
-    { "help",	'h', arg_flag, &help_flag },
+    { "version", 0,  arg_flag, &version_flag, NULL, NULL },
+    { "help",	'h', arg_flag, &help_flag, NULL, NULL },
 };
 
 static int num_args = sizeof(getargs) / sizeof(getargs[0]);

appl/ftp/ftp/Makefile.am

@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+WFLAGS += $(WFLAGS_LITE)
+
 AM_CPPFLAGS += -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_hcrypto)
 
 bin_PROGRAMS = ftp

appl/ftp/ftp/cmds.c

@@ -210,7 +210,7 @@ struct	types {
 	{ "image",	"I",	TYPE_I,	0 },
 	{ "ebcdic",	"E",	TYPE_E,	0 },
 	{ "tenex",	"L",	TYPE_L,	bytename },
-	{ NULL }
+	{ NULL, NULL, 0, NULL }
 };
 
 /*
@@ -1316,7 +1316,8 @@ user(int argc, char **argv)
 	if (n == CONTINUE) {
 		if (argc < 4) {
 			printf("Account: "); fflush(stdout);
-			fgets(acctstr, sizeof(acctstr) - 1, stdin);
+			if (fgets(acctstr, sizeof(acctstr) - 1, stdin) == NULL)
+				acctstr[0] = '\0';
 			acctstr[strcspn(acctstr, "\r\n")] = '\0';
 			argv[3] = acctstr; argc++;
 		}

appl/ftp/ftp/cmdtab.c

@@ -197,7 +197,7 @@ struct cmd cmdtab[] = {
 	{ "afslog",	afsloghelp,	0,	1,	0,	afslog },
 #endif
 
-	{ 0 },
+	{ NULL, NULL, 0, 0, 0, NULL },
 };
 
 int	NCMDS = (sizeof (cmdtab) / sizeof (cmdtab[0])) - 1;

appl/ftp/ftpd/ftpd.c

@@ -212,25 +212,32 @@ static int version_flag;
 static const char *good_chars = "+-=_,.";
 
 struct getargs args[] = {
-    { NULL, 'a', arg_string, &auth_string, "required authentication" },
-    { NULL, 'i', arg_flag, &interactive_flag, "don't assume stdin is a socket" },
-    { NULL, 'p', arg_string, &port_string, "what port to listen to" },
-    { NULL, 'g', arg_string, &guest_umask_string, "umask for guest logins" },
+    { NULL, 'a', arg_string, &auth_string, "required authentication", NULL },
+    { NULL, 'i', arg_flag, &interactive_flag, "don't assume stdin is a socket",
+      NULL },
+    { NULL, 'p', arg_string, &port_string, "what port to listen to", NULL },
+    { NULL, 'g', arg_string, &guest_umask_string, "umask for guest logins",
+      NULL },
     { NULL, 'l', arg_counter, &logging, "log more stuff", "" },
-    { NULL, 't', arg_integer, &ftpd_timeout, "initial timeout" },
-    { NULL, 'T', arg_integer, &maxtimeout, "max timeout" },
-    { NULL, 'u', arg_string, &umask_string, "umask for user logins" },
-    { NULL, 'U', arg_negative_flag, &restricted_data_ports, "don't use high data ports" },
-    { NULL, 'd', arg_flag, &debug, "enable debugging" },
-    { NULL, 'v', arg_flag, &debug, "enable debugging" },
-    { "builtin-ls", 'B', arg_flag, &use_builtin_ls, "use built-in ls to list files" },
-    { "good-chars", 0, arg_string, &good_chars, "allowed anonymous upload filename chars" },
-    { "insecure-oob", 'I', arg_negative_flag, &allow_insecure_oob, "don't allow insecure OOB ABOR/STAT" },
+    { NULL, 't', arg_integer, &ftpd_timeout, "initial timeout", NULL },
+    { NULL, 'T', arg_integer, &maxtimeout, "max timeout", NULL },
+    { NULL, 'u', arg_string, &umask_string, "umask for user logins", NULL },
+    { NULL, 'U', arg_negative_flag, &restricted_data_ports,
+      "don't use high data ports", NULL },
+    { NULL, 'd', arg_flag, &debug, "enable debugging", NULL },
+    { NULL, 'v', arg_flag, &debug, "enable debugging", NULL },
+    { "builtin-ls", 'B', arg_flag, &use_builtin_ls,
+      "use built-in ls to list files", NULL },
+    { "good-chars", 0, arg_string, &good_chars,
+      "allowed anonymous upload filename chars", NULL },
+    { "insecure-oob", 'I', arg_negative_flag, &allow_insecure_oob,
+      "don't allow insecure OOB ABOR/STAT", NULL },
 #ifdef KRB5
-    { "gss-bindings", 0,  arg_flag, &ftp_do_gss_bindings, "Require GSS-API bindings", NULL},
+    { "gss-bindings", 0,  arg_flag, &ftp_do_gss_bindings,
+      "Require GSS-API bindings", NULL},
 #endif
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 'h', arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
@@ -972,7 +979,7 @@ retrieve(const char *cmd, char *name)
 			{".tar.Z", "/bin/gtar ZcPf - %s", NULL},
 			{".gz", "/bin/gzip -c -- %s", "/bin/gzip -c -d -- %s"},
 			{".Z", "/bin/compress -c -- %s", "/bin/uncompress -c -- %s"},
-			{NULL, NULL}
+			{NULL, NULL, NULL}
 		    };
 		    struct cmds *p;
 		    for(p = cmds; p->ext; p++){
@@ -1272,7 +1279,7 @@ dataconn(const char *name, off_t size, const char *mode)
 		close(pdata);
 		pdata = s;
 #if defined(IPTOS_THROUGHPUT)
-		if (from->sa_family == AF_INET)
+		if (from_ss.ss_family == AF_INET)
 		    socket_set_tos(s, IPTOS_THROUGHPUT);
 #endif
 		reply(150, "Opening %s mode data connection for '%s'%s.",

appl/ftp/ftpd/logwtmp.c

@@ -107,7 +107,9 @@ static void
 ftpd_logwtmp_wtmp(char *line, char *name, char *host)
 {
     static int init = 0;
+#ifdef WTMP_FILE
     static int fd;
+#endif
 #ifdef WTMPX_FILE
     static int fdx;
 #endif
@@ -117,6 +119,9 @@ ftpd_logwtmp_wtmp(char *line, char *name, char *host)
 #if defined(WTMPX_FILE) || defined(HAVE_UTMPX_H)
     struct utmpx utx;
 #endif
+#if defined(WTMP_FILE) || defined(WTMPX_FILE)
+    ssize_t ret;
+#endif
 
 #ifdef HAVE_UTMPX_H
     memset(&utx, 0, sizeof(struct utmpx));
@@ -176,14 +181,18 @@ ftpd_logwtmp_wtmp(char *line, char *name, char *host)
 #endif
 	init = 1;
     }
+#if defined(WTMP_FILE) || defined(WTMPX_FILE)
     if(fd >= 0) {
 #ifdef WTMP_FILE
-	write(fd, &ut, sizeof(struct utmp)); /* XXX */
+	ret = write(fd, &ut, sizeof(struct utmp)); /* XXX */
 #endif
 #ifdef WTMPX_FILE
-	write(fdx, &utx, sizeof(struct utmpx));
+	ret = write(fdx, &utx, sizeof(struct utmpx));
 #endif
+	if (ret == -1)
+	    syslog(LOG_ERR, "ftpd_logwtmp_wtmp(): write(2) failed: %m");
     }
+#endif
 }
 
 #endif /* !HAVE_ASL_H */

appl/gssmask/gssmaestro.c

@@ -280,7 +280,7 @@ wait_log(struct client *c)
     if (fd < 0)
 	err(1, "failed to build socket for %s's logging port", c->moniker);
 
-    ((struct sockaddr *)&sast)->sa_family = c->sa->sa_family;
+    sast.ss_family = c->sa->sa_family;
     ret = bind(fd, (struct sockaddr *)&sast, c->salen);
     if (ret < 0)
 	err(1, "failed to bind %s's logging port", c->moniker);

appl/gssmask/gssmask.c

@@ -73,10 +73,13 @@ logmessage(struct client *c, const char *file, unsigned int lineno,
     char *message;
     va_list ap;
     int32_t ackid;
+    int ret;
 
     va_start(ap, fmt);
-    vasprintf(&message, fmt, ap);
+    ret = vasprintf(&message, fmt, ap);
     va_end(ap);
+    if (ret == -1)
+	errx(1, "out of memory");
 
     if (logfile)
 	fprintf(logfile, "%s:%u: %d %s\n", file, lineno, level, message);
@@ -643,6 +646,7 @@ HandleOP(GetVersionAndCapabilities)
 {
     int32_t cap = HAS_MONIKER;
     char name[256] = "unknown", *str;
+    int ret;
 
     if (targetname)
 	cap |= ISSERVER; /* is server */
@@ -657,7 +661,9 @@ HandleOP(GetVersionAndCapabilities)
     }
 #endif
 
-    asprintf(&str, "gssmask %s %s", PACKAGE_STRING, name);
+    ret = asprintf(&str, "gssmask %s %s", PACKAGE_STRING, name);
+    if (ret == -1)
+	errx(1, "out of memory");
 
     put32(c, GSSMAGGOTPROTOCOL);
     put32(c, cap);
@@ -1084,6 +1090,7 @@ static struct client *
 create_client(int fd, int port, const char *moniker)
 {
     struct client *c;
+    int ret;
 
     c = ecalloc(1, sizeof(*c));
 
@@ -1092,9 +1099,14 @@ create_client(int fd, int port, const char *moniker)
     } else {
 	char hostname[MAXHOSTNAMELEN];
 	gethostname(hostname, sizeof(hostname));
-	asprintf(&c->moniker, "gssmask: %s:%d", hostname, port);
+	ret = asprintf(&c->moniker, "gssmask: %s:%d", hostname, port);
+	if (ret == -1)
+	    c->moniker = NULL;
     }
 
+    if (!c->moniker)
+	errx(1, "out of memory");
+
     {
 	c->salen = sizeof(c->sa);
 	getpeername(fd, (struct sockaddr *)&c->sa, &c->salen);

appl/kf/kf.c

@@ -51,8 +51,8 @@ static struct getargs args[] = {
        "Forward forwardable credentials", NULL },
     { "forwardable",'G',arg_negative_flag,&forwardable,
        "Don't forward forwardable credentials", NULL },
-    { "help", 'h', arg_flag, &help_flag },
-    { "version", 0, arg_flag, &version_flag }
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);

appl/kf/kfd.c

@@ -49,8 +49,8 @@ static struct getargs args[] = {
     { "inetd",'i',arg_flag, &do_inetd,
        "Not started from inetd", NULL },
     { "regpag",'R',arg_string,&regpag_str,"path to regpag binary","regpag"},
-    { "help", 'h', arg_flag, &help_flag },
-    { "version", 0, arg_flag, &version_flag }
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);

appl/kx/krb5.c

@@ -65,17 +65,19 @@ ksyslog(krb5_context context, krb5_error_code ret, const char *fmt, ...)
     const char *msg;
     char *str = NULL;
     va_list va;
+    int aret;
 
     msg = krb5_get_error_message(context, ret);
 
     va_start(va, fmt);
-    vasprintf(&str, fmt, va);
+    aret = vasprintf(&str, fmt, va);
     va_end(va);
 
-    syslog(LOG_ERR, "%s: %s", str, msg);
+    syslog(LOG_ERR, "%s: %s", aret != -1 ? str : "(nil)", msg);
 
     krb5_free_error_message(context, msg);
-    free(str);
+    if (aret != -1)
+	free(str);
 }
 
 /*

appl/kx/kx.c

@@ -616,13 +616,13 @@ struct getargs args[] = {
     { "user",	'l', arg_string,	&user,		"Run as this user",
       NULL },
     { "tcp",	't', arg_flag,		&tcp_flag,
-      "Use a TCP connection for X11" },
+      "Use a TCP connection for X11", NULL },
     { "passive", 'P', arg_flag,		&passive_flag,
-      "Force a passive connection" },
+      "Force a passive connection", NULL },
     { "keepalive", 'k', arg_negative_flag, &keepalive_flag,
-      "disable keep-alives" },
+      "disable keep-alives", NULL },
     { "debug",	'd',	arg_flag,	&debug_flag,
-      "Enable debug information" },
+      "Enable debug information", NULL },
     { "version", 0,  arg_flag,		&version_flag,	"Print version",
       NULL },
     { "help",	 0,  arg_flag,		&help_flag,	NULL,

appl/kx/kxd.c

@@ -336,7 +336,7 @@ doit_conn (kx_context *kc,
     }
 #endif
     memset (&__ss_addr, 0, sizeof(__ss_addr));
-    addr->sa_family = kc->thisaddr->sa_family;
+    __ss_addr.ss_family = kc->thisaddr->sa_family;
     if (kc->thisaddr_len > sizeof(__ss_addr)) {
 	syslog(LOG_ERR, "error in af");
 	return 1;
@@ -403,6 +403,7 @@ close_connection(int fd, const char *message)
     char *p;
     int lsb = 0;
     size_t mlen;
+    ssize_t ret;
 
     mlen = strlen(message);
     if(mlen > 255)
@@ -433,7 +434,7 @@ close_connection(int fd, const char *message)
 	buf[6] = 0;
 	buf[7] = (p - buf - 8) / 4;
     }
-    write(fd, buf, p - buf);
+    ret = write(fd, buf, p - buf);
     close(fd);
 }
 
@@ -707,12 +708,13 @@ static int help_flag		= 0;
 
 struct getargs args[] = {
     { "inetd",		'i',	arg_negative_flag,	&inetd_flag,
-      "Not started from inetd" },
-    { "tcp",		't',	arg_flag,	&tcp_flag,	"Use TCP" },
+      "Not started from inetd", NULL },
+    { "tcp",		't',	arg_flag,	&tcp_flag,	"Use TCP",
+      NULL },
     { "port",		'p',	arg_string,	&port_str,	"Use this port",
       "port" },
-    { "version",	0, 	arg_flag,		&version_flag },
-    { "help",		0, 	arg_flag,		&help_flag }
+    { "version",	0, 	arg_flag,	&version_flag,	NULL, NULL },
+    { "help",		0, 	arg_flag,	&help_flag,	NULL, NULL }
 };
 
 static void

appl/login/env.c

@@ -53,10 +53,11 @@ extend_env(char *str)
 void
 add_env(const char *var, const char *value)
 {
+    int aret;
     int i;
     char *str;
-    asprintf(&str, "%s=%s", var, value);
-    if(str == NULL)
+    aret = asprintf(&str, "%s=%s", var, value);
+    if(aret == -1)
 	errx(1, "Out of memory!");
     for(i = 0; i < num_env; i++)
 	if(strncmp(env[i], var, strlen(var)) == 0 &&

appl/login/limits_conf.c

@@ -48,7 +48,7 @@ struct limit {
     int has_limit;
     struct rlimit limit;
 } limits[] = {
-#define LIM(X, S) { #X, RLIMIT_##X, S, 0 }
+#define LIM(X, S) { #X, RLIMIT_##X, S, 0, {0, 0} }
     LIM(CORE, 1024),
     LIM(CPU, 60),
     LIM(DATA, 1024),
@@ -75,7 +75,7 @@ struct limit {
       maxlogins
       priority
     */
-    { NULL, 0 }
+    { NULL, 0, 0, 0, {0, 0}  }
 };
 
 static struct limit *

appl/login/login.c

@@ -246,18 +246,19 @@ static char *remote_host;
 static char *auth_level = NULL;
 
 struct getargs args[] = {
-    { NULL, 'a', arg_string,    &auth_level,    "authentication mode" },
+    { NULL, 'a', arg_string,    &auth_level,    "authentication mode", NULL },
 #if 0
-    { NULL, 'd' },
+    { NULL, 'd', NULL,          NULL,           NULL, NULL },
 #endif
-    { NULL, 'f', arg_flag,	&f_flag,	"pre-authenticated" },
+    { NULL, 'f', arg_flag,	&f_flag,	"pre-authenticated", NULL },
     { NULL, 'h', arg_string,	&remote_host,	"remote host", "hostname" },
-    { NULL, 'p', arg_flag,	&p_flag,	"don't purge environment" },
+    { NULL, 'p', arg_flag,	&p_flag,	"don't purge environment",
+      NULL },
 #if 0
-    { NULL, 'r', arg_flag,	&r_flag,	"rlogin protocol" },
+    { NULL, 'r', arg_flag,	&r_flag,	"rlogin protocol", NULL },
 #endif
-    { "version", 0,  arg_flag,	&version_flag },
-    { "help",	 0,  arg_flag,&help_flag, }
+    { "version", 0,  arg_flag,	&version_flag,  NULL, NULL },
+    { "help",	 0,  arg_flag,&help_flag,       NULL, NULL }
 };
 
 int nargs = sizeof(args) / sizeof(args[0]);

appl/otp/otp.c

@@ -46,16 +46,16 @@ static int version_flag;
 static int help_flag;
 
 struct getargs args[] = {
-    { "list", 'l', arg_flag, &listp, "list OTP status" },
-    { "delete", 'd', arg_flag, &deletep, "delete OTP" },
-    { "open", 'o', arg_flag, &openp, "open a locked OTP" },
-    { "renew", 'r', arg_flag, &renewp, "securely renew OTP" },
+    { "list", 'l', arg_flag, &listp, "list OTP status", NULL },
+    { "delete", 'd', arg_flag, &deletep, "delete OTP", NULL },
+    { "open", 'o', arg_flag, &openp, "open a locked OTP", NULL },
+    { "renew", 'r', arg_flag, &renewp, "securely renew OTP", NULL },
     { "hash", 'f', arg_string, &alg_string,
       "hash algorithm (md4, md5, or sha)", "algorithm"},
     { "user", 'u', arg_string, &user,
       "user other than current user (root only)", "user" },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 'h', arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL }
 };
 
 int num_args = sizeof(args) / sizeof(args[0]);

appl/otp/otpprint.c

@@ -44,13 +44,14 @@ static int version_flag;
 static int help_flag;
 
 struct getargs args[] = {
-    { "extended", 'e', arg_flag, &extendedp, "print keys in extended format" },
-    { "count", 'n', arg_integer, &count, "number of keys to print" },
-    { "hexadecimal", 'h', arg_flag, &hexp, "output in hexadecimal" },
+    { "extended", 'e', arg_flag, &extendedp, "print keys in extended format",
+      NULL },
+    { "count", 'n', arg_integer, &count, "number of keys to print", NULL },
+    { "hexadecimal", 'h', arg_flag, &hexp, "output in hexadecimal", NULL },
     { "hash", 'f', arg_string, &alg_string,
       "hash algorithm (md4, md5, or sha)", "algorithm"},
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 
 int num_args = sizeof(args) / sizeof(args[0]);

appl/popper/Makefile.am

@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+WFLAGS += $(WFLAGS_LITE)
+
 noinst_PROGRAMS = pop_debug
 
 libexec_PROGRAMS = popper

appl/push/push.c

@@ -223,7 +223,7 @@ doit(int s,
     unsigned sent_xdele = 0;
     int out_fd;
     char from_line[128];
-    size_t from_line_length;
+    ssize_t from_line_length;
     time_t now;
     struct write_state write_state;
     unsigned int numheaders = 1;

appl/rcp/Makefile.am

@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+WFLAGS += $(WFLAGS_LITE)
+
 bin_PROGRAMS = rcp
 
 rcp_SOURCES  = rcp.c util.c rcp_locl.h extern.h

appl/rcp/rcp.c

@@ -58,21 +58,23 @@ static int fflag, tflag;
 static int version_flag, help_flag;
 
 struct getargs args[] = {
-    { NULL,	'4', arg_flag,		&usekrb4,	"use Kerberos 4 authentication" },
-    { NULL,	'5', arg_flag,		&usekrb5,	"use Kerberos 5 authentication" },
-    { NULL,	'F', arg_flag,		&forwardtkt,	"forward credentials" },
-    { NULL,	'K', arg_flag,		&usebroken,	"use BSD authentication" },
-    { NULL,	'P', arg_string,	&port,		"non-default port", "port" },
-    { NULL,	'p', arg_flag,		&pflag,	"preserve file permissions" },
-    { NULL,	'r', arg_flag,		&iamrecursive,	"recursive mode" },
-    { NULL,	'x', arg_flag,		&doencrypt,	"use encryption" },
-    { NULL,	'z', arg_flag,		&noencrypt,	"don't encrypt" },
-    { NULL,	'd', arg_flag,		&targetshouldbedirectory },
-    { NULL,	'e', arg_flag,		&eflag, 	"passed to rsh" },
-    { NULL,	'f', arg_flag,		&fflag },
-    { NULL,	't', arg_flag,		&tflag },
-    { "version", 0,  arg_flag,		&version_flag },
-    { "help",	 0,  arg_flag,		&help_flag }
+    { NULL,	'4', arg_flag,	 &usekrb4,	"use Kerberos 4 authentication",      NULL },
+    { NULL,	'5', arg_flag,	 &usekrb5,	"use Kerberos 5 authentication",      NULL },
+    { NULL,	'F', arg_flag,	 &forwardtkt,	"forward credentials", NULL },
+    { NULL,	'K', arg_flag,	 &usebroken,	"use BSD authentication",
+      NULL },
+    { NULL,	'P', arg_string, &port,		"non-default port", "port" },
+    { NULL,	'p', arg_flag,	 &pflag,	"preserve file permissions",
+      NULL },
+    { NULL,	'r', arg_flag,	 &iamrecursive,	"recursive mode", NULL },
+    { NULL,	'x', arg_flag,	 &doencrypt,	"use encryption", NULL },
+    { NULL,	'z', arg_flag,	 &noencrypt,	"don't encrypt", NULL },
+    { NULL,	'd', arg_flag,	 &targetshouldbedirectory, NULL, NULL },
+    { NULL,	'e', arg_flag,	 &eflag,	"passed to rsh", NULL },
+    { NULL,	'f', arg_flag,	 &fflag,	NULL, NULL },
+    { NULL,	't', arg_flag,	 &tflag,	NULL, NULL },
+    { "version", 0,  arg_flag,	 &version_flag,	NULL, NULL },
+    { "help",	 0,  arg_flag,	 &help_flag,	NULL, NULL }
 };
 
 static void

appl/rsh/Makefile.am

@@ -4,6 +4,8 @@ include $(top_srcdir)/Makefile.am.common
 
 AM_CPPFLAGS += -I$(srcdir)/../login $(INCLUDE_hcrypto)
 
+WFLAGS += $(WFLAGS_LITE)
+
 bin_PROGRAMS = rsh
 
 man_MANS = rsh.1 rshd.8

appl/su/su.c

@@ -80,19 +80,19 @@ char tkfile[256];
 
 struct getargs args[] = {
     { "kerberos", 'K', arg_negative_flag, &kerberos_flag,
-      "don't use kerberos" },
+      "don't use kerberos", NULL },
     { NULL,	  'f', arg_flag,	  &csh_f_flag,
-      "don't read .cshrc" },
+      "don't read .cshrc", NULL },
     { "full",	  'l', arg_flag,          &full_login,
-      "simulate full login" },
+      "simulate full login", NULL },
     { NULL,	  'm', arg_flag,          &env_flag,
-      "leave environment unmodified" },
+      "leave environment unmodified", NULL },
     { "instance", 'i', arg_string,        &kerberos_instance,
-      "root instance to use" },
+      "root instance to use", NULL },
     { "command",  'c', arg_string,        &cmd,
-      "command to execute" },
-    { "help", 	  'h', arg_flag,          &help_flag },
-    { "version",  0,   arg_flag,          &version_flag },
+      "command to execute", NULL },
+    { "help",	  'h', arg_flag,          &help_flag, NULL, NULL },
+    { "version",  0,   arg_flag,          &version_flag, NULL, NULL },
 };
 
 

appl/telnet/libtelnet/Makefile.am

@@ -4,6 +4,8 @@ include $(top_srcdir)/Makefile.am.common
 
 AM_CPPFLAGS += -I$(srcdir)/.. $(INCLUDE_hcrypto)
 
+WFLAGS += $(WFLAGS_LITE)
+
 noinst_LIBRARIES = libtelnet.a
 
 libtelnet_a_SOURCES = \

appl/telnet/libtelnet/auth.c

@@ -166,10 +166,10 @@ Authenticator authenticators[] = {
       rsaencpwd_status,
       rsaencpwd_printsub },
 #endif
-    { 0, },
+    { 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
 };
 
-static Authenticator NoAuth = { 0 };
+static Authenticator NoAuth = { 0, 0, NULL, NULL, NULL, NULL, NULL, NULL };
 
 static int	i_support = 0;
 static int	i_wont_support = 0;

appl/telnet/libtelnet/encrypt.c

@@ -128,7 +128,7 @@ static long i_support_encrypt = typemask(ENCTYPE_DES_CFB64)
 	   ofb64_keyid,
 	   ofb64_printsub },
 #endif
-	 { 0, },
+	 { 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
      };
 
 static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,

appl/telnet/telnet/Makefile.am

@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+WFLAGS += $(WFLAGS_LITE)
+
 AM_CPPFLAGS += -I$(srcdir)/.. $(INCLUDE_hcrypto)
 
 bin_PROGRAMS = telnet

appl/telnet/telnetd/Makefile.am

@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+WFLAGS += $(WFLAGS_LITE)
+
 AM_CPPFLAGS += -I$(srcdir)/.. $(INCLUDE_hcrypto)
 
 libexec_PROGRAMS = telnetd

appl/telnet/telnetd/utility.c

@@ -87,7 +87,7 @@ ttloop(void)
 int
 stilloob(int s)
 {
-    static struct timeval timeout = { 0 };
+    static struct timeval timeout = { 0, 0 };
     fd_set	excepts;
     int value;
 

appl/test/Makefile.am

@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+WFLAGS += $(WFLAGS_LITE)
+
 noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
 	uu_server uu_client nt_gss_server nt_gss_client http_client
 

appl/test/common.c

@@ -51,9 +51,9 @@ static struct getargs args[] = {
     { "keytab", 'k', arg_string, &keytab_str, "keytab to use", "keytab" },
     { "mech", 'm', arg_string, &mech, "gssapi mech to use", "mech" },
     { "password", 'P', arg_string, &password, "password to use", "password" },
-    { "fork", 'f', arg_flag, &fork_flag, "do fork" },
-    { "help", 'h', arg_flag, &help_flag },
-    { "version", 0, arg_flag, &version_flag }
+    { "fork", 'f', arg_flag, &fork_flag, "do fork", NULL },
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);

appl/test/http_client.c

@@ -117,15 +117,17 @@ static char *port_str = "http";
 static char *gss_service = "HTTP";
 
 static struct getargs http_args[] = {
-    { "verbose", 'v', arg_flag, &verbose_flag, "verbose logging", },
+    { "verbose", 'v', arg_flag, &verbose_flag, "verbose logging", NULL },
     { "port", 'p', arg_string, &port_str, "port to connect to", "port" },
-    { "delegate", 0, arg_flag, &delegate_flag, "gssapi delegate credential" },
+    { "delegate", 0, arg_flag, &delegate_flag, "gssapi delegate credential",
+      NULL },
     { "gss-service", 's', arg_string, &gss_service, "gssapi service to use",
       "service" },
     { "mech", 'm', arg_string, &mech, "gssapi mech to use", "mech" },
-    { "mutual", 0, arg_negative_flag, &mutual_flag, "no gssapi mutual auth" },
-    { "help", 'h', arg_flag, &help_flag },
-    { "version", 0, arg_flag, &version_flag }
+    { "mutual", 0, arg_negative_flag, &mutual_flag, "no gssapi mutual auth",
+      NULL },
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL }
 };
 
 static int num_http_args = sizeof(http_args) / sizeof(http_args[0]);

appl/test/nt_gss_server.c

@@ -58,8 +58,8 @@ static struct getargs args[] = {
     { "service", 's', arg_string, &service, "service to use", "service" },
     { "dump-auth", 0, arg_string, &auth_file, "dump authorization data",
       "file" },
-    { "help", 'h', arg_flag, &help_flag },
-    { "version", 0, arg_flag, &version_flag }
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);

base/bsearch.c

@@ -171,7 +171,7 @@ bsearch_common(const char *buf, size_t sz, const char *key,
 
     /* Binary search; file should be sorted */
     for (l = 0, r = rmax = sz, i = sz >> 1; i >= l && i < rmax; loop_count++) {
-	heim_assert(i >= 0 && i < sz, "invalid aname2lname db index");
+	heim_assert(i < sz, "invalid aname2lname db index");
 
 	/* buf[i] is likely in the middle of a line; find the next line */
 	linep = find_line(buf, i, rmax);

base/test_base.c

@@ -279,7 +279,7 @@ test_json(void)
 	for (k = strlen(j[i]) - 1; k > 0; k--) {
 	    o = heim_json_create_with_bytes(j[i], k, 10, 0, NULL);
 	    if (o != NULL) {
-		fprintf(stderr, "Invalid JSON parsed: %.*s\n", k, j[i]);
+		fprintf(stderr, "Invalid JSON parsed: %.*s\n", (int)k, j[i]);
 		return EINVAL;
 	    }
 	}
@@ -585,14 +585,22 @@ static void
 test_db_iter(heim_data_t k, heim_data_t v, void *arg)
 {
     int *ret = arg;
+    const void *kptr, *vptr;
+    size_t klen, vlen;
 
     heim_assert(heim_get_tid(k) == heim_data_get_type_id(), "...");
 
-    if (heim_data_get_length(k) == strlen("msg") && strncmp(heim_data_get_ptr(k), "msg", strlen("msg")) == 0 &&
-	heim_data_get_length(v) == strlen("abc") && strncmp(heim_data_get_ptr(v), "abc", strlen("abc")) == 0)
+    kptr = heim_data_get_ptr(k);
+    klen = heim_data_get_length(k);
+    vptr = heim_data_get_ptr(v);
+    vlen = heim_data_get_length(v);
+
+    if (klen == strlen("msg") && !strncmp(kptr, "msg", strlen("msg")) &&
+	vlen == strlen("abc") && !strncmp(vptr, "abc", strlen("abc")))
 	*ret &= ~(1);
-    else if (heim_data_get_length(k) == strlen("msg2") && strncmp(heim_data_get_ptr(k), "msg2", strlen("msg2")) == 0 &&
-	heim_data_get_length(v) == strlen("FooBar") && strncmp(heim_data_get_ptr(v), "FooBar", strlen("FooBar")) == 0)
+    else if (klen == strlen("msg2") &&
+	!strncmp(kptr, "msg2", strlen("msg2")) &&
+	vlen == strlen("FooBar") && !strncmp(vptr, "FooBar", strlen("FooBar")))
 	*ret &= ~(2);
     else
 	*ret |= 4;

cf/roken-frag.m4

@@ -28,7 +28,7 @@ dnl C characteristics
 AC_REQUIRE([AC_C___ATTRIBUTE__])
 AC_REQUIRE([AC_C_INLINE])
 AC_REQUIRE([AC_C_CONST])
-rk_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
+rk_WFLAGS(-Wall -Wextra -Wno-sign-compare -Wno-unused-parameter -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
 
 AC_REQUIRE([rk_DB])
 

cf/wflags.m4

@@ -20,10 +20,16 @@ if test -z "$WFLAGS" -a "$GCC" = "yes"; then
   #   -Wmissing-declarations -Wnested-externs
   #   -Wstrict-overflow=5
   WFLAGS="ifelse($#, 0,-Wall, $1) $dwflags"
-  WFLAGS_NOUNUSED="-Wno-unused"
   WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+
+  #
+  # WFLAGS_LITE can be appended to WFLAGS to turn off a host of warnings
+  # that fail for various bits of older code in appl/.  Let's not use it
+  # for the main libraries, though.
+
+  WFLAGS_LITE="-Wno-extra -Wno-missing-field-initializers -Wno-strict-aliasing -Wno-unused-result"
 fi
 AC_SUBST(WFLAGS)dnl
-AC_SUBST(WFLAGS_NOUNUSED)dnl
+AC_SUBST(WFLAGS_LITE)dnl
 AC_SUBST(WFLAGS_NOIMPLICITINT)dnl
 ])

kadmin/add-random-users.c

@@ -139,8 +139,8 @@ static int version_flag	= 0;
 static int help_flag	= 0;
 
 static struct getargs args[] = {
-    { "version", 	0,   arg_flag, &version_flag },
-    { "help",		0,   arg_flag, &help_flag }
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",		0,   arg_flag, &help_flag,    NULL, NULL }
 };
 
 static void

kadmin/ank.c

@@ -125,10 +125,18 @@ add_one_principal (const char *name,
     } else if(password == NULL) {
 	char *princ_name;
 	char *prompt;
+	int aret;
 
-	krb5_unparse_name(context, princ_ent, &princ_name);
-	asprintf (&prompt, "%s's Password: ", princ_name);
+	ret = krb5_unparse_name(context, princ_ent, &princ_name);
+	if (ret)
+	    goto out;
+	aret = asprintf (&prompt, "%s's Password: ", princ_name);
 	free (princ_name);
+	if (aret == -1) {
+	    ret = ENOMEM;
+	    krb5_set_error_message(context, ret, "out of memory");
+	    goto out;
+	}
 	ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1);
 	free (prompt);
 	if (ret) {

kadmin/cpw.c

@@ -85,14 +85,19 @@ set_password (krb5_principal principal, char *password, int keepold)
 {
     krb5_error_code ret = 0;
     char pwbuf[128];
+    int aret;
 
     if(password == NULL) {
 	char *princ_name;
 	char *prompt;
 
-	krb5_unparse_name(context, principal, &princ_name);
-	asprintf(&prompt, "%s's Password: ", princ_name);
+	ret = krb5_unparse_name(context, principal, &princ_name);
+	if (ret)
+	    return ret;
+	aret = asprintf(&prompt, "%s's Password: ", princ_name);
 	free (princ_name);
+	if (aret == -1)
+	    return ENOMEM;
 	ret = UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), prompt, 1);
 	free (prompt);
 	if(ret){

kadmin/get.c

@@ -66,7 +66,7 @@ static struct field_name {
     { "aliases", KADM5_TL_DATA, KRB5_TL_ALIASES, 0, "Aliases", "Aliases", 0 },
     { "hist-kvno-diff-clnt", KADM5_TL_DATA, KRB5_TL_HIST_KVNO_DIFF_CLNT, 0, "Clnt hist keys", "Historic keys allowed for client", 0 },
     { "hist-kvno-diff-svc", KADM5_TL_DATA, KRB5_TL_HIST_KVNO_DIFF_SVC, 0, "Svc hist keys", "Historic keys allowed for service", 0 },
-    { NULL }
+    { NULL, 0, 0, 0, NULL, NULL, 0 }
 };
 
 struct field_info {
@@ -125,12 +125,17 @@ format_keytype(krb5_key_data *k, krb5_salt *def_salt, char *buf, size_t buf_len)
 {
     krb5_error_code ret;
     char *s;
+    int aret;
 
+    buf[0] = '\0';
     ret = krb5_enctype_to_string (context,
 				  k->key_data_type[0],
 				  &s);
-    if (ret)
-	asprintf (&s, "unknown(%d)", k->key_data_type[0]);
+    if (ret) {
+	aret = asprintf (&s, "unknown(%d)", k->key_data_type[0]);
+	if (aret == -1)
+	    return;	/* Nothing to do here, we have no way to pass the err */
+    }
     strlcpy(buf, s, buf_len);
     free(s);
 
@@ -140,21 +145,29 @@ format_keytype(krb5_key_data *k, krb5_salt *def_salt, char *buf, size_t buf_len)
 				   k->key_data_type[0],
 				   k->key_data_type[1],
 				   &s);
-    if (ret)
-	asprintf (&s, "unknown(%d)", k->key_data_type[1]);
+    if (ret) {
+	aret = asprintf (&s, "unknown(%d)", k->key_data_type[1]);
+	if (aret == -1)
+	    return;	/* Again, nothing else to do... */
+    }
     strlcat(buf, s, buf_len);
     free(s);
 
+    aret = 0;
     if (cmp_salt(def_salt, k) == 0)
 	s = strdup("");
     else if(k->key_data_length[1] == 0)
 	s = strdup("()");
     else
-	asprintf (&s, "(%.*s)", k->key_data_length[1],
-		  (char *)k->key_data_contents[1]);
+	aret = asprintf (&s, "(%.*s)", k->key_data_length[1],
+			 (char *)k->key_data_contents[1]);
+    if (aret == -1 || s == NULL)
+	return;		/* Again, nothing else we can do... */
     strlcat(buf, s, buf_len);
     free(s);
-    asprintf (&s, "[%d]", k->key_data_kvno);
+    aret = asprintf (&s, "[%d]", k->key_data_kvno);
+    if (aret == -1)
+	return;
     strlcat(buf, ")", buf_len);
 
     strlcat(buf, s, buf_len);

kadmin/kadmin.c

@@ -159,6 +159,7 @@ main(int argc, char **argv)
     kadm5_config_params conf;
     int optidx = 0;
     int exit_status = 0;
+    int aret;
 
     setprogname(argv[0]);
 
@@ -181,8 +182,8 @@ main(int argc, char **argv)
     argv += optidx;
 
     if (config_file == NULL) {
-	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
-	if (config_file == NULL)
+	aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (aret == -1)
 	    errx(1, "out of memory");
     }
 

kadmin/kadmind.c

@@ -119,8 +119,10 @@ main(int argc, char **argv)
     argv += optidx;
 
     if (config_file == NULL) {
-	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
-	if (config_file == NULL)
+	int aret;
+
+	aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (aret == -1)
 	    errx(1, "out of memory");
     }
 

kadmin/stash.c

@@ -45,6 +45,7 @@ stash(struct stash_options *opt, int argc, char **argv)
     krb5_error_code ret;
     krb5_enctype enctype;
     hdb_master_key mkey;
+    int aret;
 
     if(!local_flag) {
 	krb5_warnx(context, "stash is only available in local (-l) mode");
@@ -58,8 +59,8 @@ stash(struct stash_options *opt, int argc, char **argv)
     }
 
     if(opt->key_file_string == NULL) {
-	asprintf(&opt->key_file_string, "%s/m-key", hdb_db_dir(context));
-	if (opt->key_file_string == NULL)
+	aret = asprintf(&opt->key_file_string, "%s/m-key", hdb_db_dir(context));
+	if (aret == -1)
 	    errx(1, "out of memory");
     }
 
@@ -108,10 +109,16 @@ stash(struct stash_options *opt, int argc, char **argv)
     }
 
     {
-	char *new, *old;
-	asprintf(&old, "%s.old", opt->key_file_string);
-	asprintf(&new, "%s.new", opt->key_file_string);
-	if(old == NULL || new == NULL) {
+	char *new = NULL, *old = NULL;
+	int aret;
+
+	aret = asprintf(&old, "%s.old", opt->key_file_string);
+	if (aret == -1) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	aret = asprintf(&new, "%s.new", opt->key_file_string);
+	if (aret == -1) {
 	    ret = ENOMEM;
 	    goto out;
 	}

kcm/cache.c

@@ -42,12 +42,15 @@ char *kcm_ccache_nextid(pid_t pid, uid_t uid, gid_t gid)
 {
     unsigned n;
     char *name;
+    int ret;
 
     HEIMDAL_MUTEX_lock(&ccache_mutex);
     n = ++ccache_nextid;
     HEIMDAL_MUTEX_unlock(&ccache_mutex);
 
-    asprintf(&name, "%ld:%u", (long)uid, n);
+    ret = asprintf(&name, "%ld:%u", (long)uid, n);
+    if (ret == -1)
+	return NULL;
 
     return name;
 }

kcm/config.c

@@ -86,22 +86,22 @@ static struct getargs args[] = {
     },
     {
 	"launchd",	0,	arg_flag, &launchd_flag,
-	"when in use by launchd"
+	"when in use by launchd", NULL
     },
 #ifdef SUPPORT_DETACH
 #if DETACH_IS_DEFAULT
     {
 	"detach",       'D',      arg_negative_flag, &detach_from_console,
-	"don't detach from console"
+	"don't detach from console", NULL
     },
 #else
     {
 	"detach",       0 ,      arg_flag, &detach_from_console,
-	"detach from console"
+	"detach from console", NULL
     },
 #endif
 #endif
-    {	"help",		'h',	arg_flag,   &help_flag },
+    {	"help",		'h',	arg_flag,   &help_flag, NULL, NULL },
     {
 	"system-principal",	'k',	arg_string,	&system_principal,
 	"system principal name",	"principal"
@@ -116,11 +116,11 @@ static struct getargs args[] = {
     },
     {
 	"name-constraints",	'n', arg_negative_flag, &name_constraints,
-	"disable credentials cache name constraints"
+	"disable credentials cache name constraints", NULL
     },
     {
 	"disallow-getting-krbtgt", 0, arg_flag, &disallow_getting_krbtgt,
-	"disable fetching krbtgt from the cache"
+	"disable fetching krbtgt from the cache", NULL
     },
     {
 	"renewable-life",	'r', arg_string, &renew_life,
@@ -148,7 +148,7 @@ static struct getargs args[] = {
 	"user",		'u',	arg_string,	&system_user,
 	"system cache owner",	"user"
     },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);

kcm/glue.c

@@ -263,7 +263,16 @@ static const krb5_cc_ops krb5_kcmss_ops = {
     kcmss_end_get,
     kcmss_remove_cred,
     kcmss_set_flags,
-    kcmss_get_version
+    kcmss_get_version,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
 };
 
 krb5_error_code

kcm/main.c

@@ -102,7 +102,8 @@ main(int argc, char **argv)
 #endif
 #ifdef SUPPORT_DETACH
     if (detach_from_console)
-	daemon(0, 0);
+	if (daemon(0, 0) == -1)
+	    err(1, "daemon");
 #endif
     pidfile(NULL);
 

kcm/protocol.c

@@ -1070,6 +1070,7 @@ kcm_op_get_default_cache(krb5_context context,
     krb5_error_code ret;
     const char *name = NULL;
     char *n = NULL;
+    int aret;
 
     KCM_LOG_REQUEST(context, client, opcode);
 
@@ -1083,8 +1084,9 @@ kcm_op_get_default_cache(krb5_context context,
 	name = n = kcm_ccache_first_name(client);
 
     if (name == NULL) {
-	asprintf(&n, "%d", (int)client->uid);
-	name = n;
+	aret = asprintf(&n, "%d", (int)client->uid);
+	if (aret != -1)
+	    name = n;
     }
     if (name == NULL)
 	return ENOMEM;

kdc/config.c

@@ -181,10 +181,11 @@ configure(krb5_context context, int argc, char **argv, int *optidx)
 
     {
 	char **files;
+	int aret;
 
 	if (config_file == NULL) {
-	    asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
-	    if (config_file == NULL)
+	    aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	    if (aret == -1 || config_file == NULL)
 		errx(1, "out of memory");
 	}
 

kdc/digest.c

@@ -406,11 +406,12 @@ _kdc_do_digest(krb5_context context,
 
 	if (ireq.u.init.channel) {
 	    char *s;
+	    int aret;
 
-	    asprintf(&s, "%s-%s:%s", r.u.initReply.nonce,
-		     ireq.u.init.channel->cb_type,
-		     ireq.u.init.channel->cb_binding);
-	    if (s == NULL) {
+	    aret = asprintf(&s, "%s-%s:%s", r.u.initReply.nonce,
+			    ireq.u.init.channel->cb_type,
+			    ireq.u.init.channel->cb_binding);
+	    if (aret == -1 || s == NULL) {
 		ret = ENOMEM;
 		krb5_set_error_message(context, ret,
 				       "Failed to allocate channel binding");
@@ -427,6 +428,8 @@ _kdc_do_digest(krb5_context context,
 	}
 
 	if (strcasecmp(ireq.u.init.type, "CHAP") == 0) {
+	    int aret;
+
 	    r.u.initReply.identifier =
 		malloc(sizeof(*r.u.initReply.identifier));
 	    if (r.u.initReply.identifier == NULL) {
@@ -435,8 +438,8 @@ _kdc_do_digest(krb5_context context,
 		goto out;
 	    }
 
-	    asprintf(r.u.initReply.identifier, "%02X", identifier & 0xff);
-	    if (*r.u.initReply.identifier == NULL) {
+	    aret = asprintf(r.u.initReply.identifier, "%02X", identifier&0xff);
+	    if (aret == -1 || *r.u.initReply.identifier == NULL) {
 		ret = ENOMEM;
 		krb5_set_error_message(context, ret, "malloc: out of memory");
 		goto out;
@@ -997,10 +1000,12 @@ _kdc_do_digest(krb5_context context,
 	    }
 
 	} else {
+	    int aret;
+
 	    r.element = choice_DigestRepInner_error;
-	    asprintf(&r.u.error.reason, "Unsupported digest type %s",
-		     ireq.u.digestRequest.type);
-	    if (r.u.error.reason == NULL) {
+	    aret = asprintf(&r.u.error.reason, "Unsupported digest type %s",
+			    ireq.u.digestRequest.type);
+	    if (aret == -1 || r.u.error.reason == NULL) {
 		ret = ENOMEM;
 		krb5_set_error_message(context, ret, "malloc: out of memory");
 		goto out;

kdc/hpropd.c

@@ -145,7 +145,7 @@ main(int argc, char **argv)
 	if(getpeername(sock, sa, &sin_len) < 0)
 	    krb5_err(context, 1, errno, "getpeername");
 
-	if (inet_ntop(sa->sa_family,
+	if (inet_ntop(ss.ss_family,
 		      socket_get_address (sa),
 		      addr_name,
 		      sizeof(addr_name)) == NULL)
@@ -207,7 +207,11 @@ main(int argc, char **argv)
     }
 
     if(!print_dump) {
-	asprintf(&tmp_db, "%s~", database);
+	int aret;
+
+	aret = asprintf(&tmp_db, "%s~", database);
+	if (aret == -1)
+	    krb5_errx(context, 1, "hdb_create: out of memory");
 
 	ret = hdb_create(context, &db, tmp_db);
 	if(ret)

kdc/kdc-replay.c

@@ -37,11 +37,11 @@ static int version_flag;
 static int help_flag;
 
 struct getargs args[] = {
-    { "version",   0,	arg_flag, &version_flag },
-    { "help",     'h',	arg_flag, &help_flag }
+    { "version",   0,	arg_flag, &version_flag, NULL, NULL },
+    { "help",     'h',	arg_flag, &help_flag,    NULL, NULL }
 };
 
-const static int num_args = sizeof(args) / sizeof(args[0]);
+static const int num_args = sizeof(args) / sizeof(args[0]);
 
 static void
 usage(int ret)

kdc/kstash.c

@@ -66,6 +66,7 @@ main(int argc, char **argv)
 {
     char buf[1024];
     krb5_error_code ret;
+    int aret;
 
     krb5_enctype enctype;
 
@@ -84,8 +85,11 @@ main(int argc, char **argv)
 	krb5_errx(context, 1, "random-key and master-key-fd "
 		  "is mutual exclusive");
 
-    if (keyfile == NULL)
-	asprintf(&keyfile, "%s/m-key", hdb_db_dir(context));
+    if (keyfile == NULL) {
+	aret = asprintf(&keyfile, "%s/m-key", hdb_db_dir(context));
+	if (aret == -1)
+	    krb5_errx(context, 1, "out of memory");
+    }
 
     ret = krb5_string_to_enctype(context, enctype_str, &enctype);
     if(ret)
@@ -132,9 +136,21 @@ main(int argc, char **argv)
     }
 
     {
-	char *new, *old;
-	asprintf(&old, "%s.old", keyfile);
-	asprintf(&new, "%s.new", keyfile);
+	char *new = NULL, *old = NULL;
+	int aret;
+
+	aret = asprintf(&old, "%s.old", keyfile);
+	if (aret == -1) {
+	    old = NULL;
+	    ret = ENOMEM;
+	    goto out;
+	}
+	aret = asprintf(&new, "%s.new", keyfile);
+	if (aret == -1) {
+	    new = NULL;
+	    ret = ENOMEM;
+	    goto out;
+	}
 	if(unlink(new) < 0 && errno != ENOENT) {
 	    ret = errno;
 	    goto out;

kdc/pkinit.c

@@ -2035,7 +2035,14 @@ krb5_kdc_pk_initialize(krb5_context context,
 				  "pkinit_mappings_file",
 				  NULL);
     if (file == NULL) {
-	asprintf(&fn, "%s/pki-mapping", hdb_db_dir(context));
+	int aret;
+
+	aret = asprintf(&fn, "%s/pki-mapping", hdb_db_dir(context));
+	if (aret == -1) {
+	    krb5_warnx(context, "PKINIT: out of memory");
+	    return ENOMEM;
+	}
+
 	file = fn;
     }
 

kpasswd/kpasswd-generator.c

@@ -96,6 +96,7 @@ generate_requests (const char *filename, unsigned nreq)
 	int result_code;
 	krb5_data result_code_string, result_string;
 	char *old_pwd, *new_pwd;
+	int aret;
 
 	krb5_get_init_creds_opt_alloc (context, &opt);
 	krb5_get_init_creds_opt_set_tkt_life (opt, 300);
@@ -106,8 +107,12 @@ generate_requests (const char *filename, unsigned nreq)
 	if (ret)
 	    krb5_err (context, 1, ret, "krb5_parse_name %s", name);
 
-	asprintf (&old_pwd, "%s", name);
-	asprintf (&new_pwd, "%s2", name);
+	aret = asprintf (&old_pwd, "%s", name);
+	if (aret == -1)
+	    krb5_errx(context, 1, "out of memory");
+	aret = asprintf (&new_pwd, "%s2", name);
+	if (aret == -1)
+	    krb5_errx(context, 1, "out of memory");
 
 	ret = krb5_get_init_creds_password (context,
 					    &cred,
@@ -163,8 +168,8 @@ static int version_flag	= 0;
 static int help_flag	= 0;
 
 static struct getargs args[] = {
-    { "version", 	0,   arg_flag, &version_flag },
-    { "help",		0,   arg_flag, &help_flag }
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",		0,   arg_flag, &help_flag,    NULL, NULL }
 };
 
 static void

kpasswd/kpasswd.c

@@ -64,22 +64,23 @@ change_password(krb5_context context,
     krb5_error_code ret;
     char pwbuf[BUFSIZ];
     char *msg, *name;
+    int aret;
 
     krb5_data_zero (&result_code_string);
     krb5_data_zero (&result_string);
 
     name = msg = NULL;
     if (principal == NULL)
-	asprintf(&msg, "New password: ");
+	aret = asprintf(&msg, "New password: ");
     else {
 	ret = krb5_unparse_name(context, principal, &name);
 	if (ret)
 	    krb5_err(context, 1, ret, "krb5_unparse_name");
 
-	asprintf(&msg, "New password for %s: ", name);
+	aret = asprintf(&msg, "New password for %s: ", name);
     }
 
-    if (msg == NULL)
+    if (aret == -1 || msg == NULL)
 	krb5_errx (context, 1, "out of memory");
 
     ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), msg, 1);

kpasswd/kpasswdd.c

@@ -689,7 +689,7 @@ doit (krb5_keytab keytab, int port)
 
 	krb5_addr2sockaddr (context, &addrs.val[i], sa, &sa_size, port);
 
-	sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
+	sockets[i] = socket (__ss.ss_family, SOCK_DGRAM, 0);
 	if (sockets[i] < 0)
 	    krb5_err (context, 1, errno, "socket");
 	if (bind (sockets[i], sa, sa_size) < 0) {
@@ -798,6 +798,7 @@ main (int argc, char **argv)
     krb5_error_code ret;
     char **files;
     int port, i;
+    int aret;
 
     krb5_program_setup(&context, argc, argv, args, num_args, NULL);
 
@@ -809,8 +810,8 @@ main (int argc, char **argv)
     }
 
     if (config_file == NULL) {
-	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
-	if (config_file == NULL)
+	aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (aret == -1)
 	    errx(1, "out of memory");
     }
 

kuser/generate-requests.c

@@ -98,8 +98,8 @@ static int version_flag	= 0;
 static int help_flag	= 0;
 
 static struct getargs args[] = {
-    { "version", 	0,   arg_flag, &version_flag },
-    { "help",		0,   arg_flag, &help_flag }
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",		0,   arg_flag, &help_flag,    NULL, NULL }
 };
 
 static void

kuser/kdecode_ticket.c

@@ -79,8 +79,8 @@ print_and_decode_tkt (krb5_context context,
 struct getargs args[] = {
     { "enctype",	'e', arg_string, &etype_str,
       "encryption type to use", "enctype"},
-    { "version", 	0,   arg_flag, &version_flag },
-    { "help",		0,   arg_flag, &help_flag }
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",		0,   arg_flag, &help_flag, NULL, NULL }
 };
 
 static void

kuser/kinit.c

@@ -332,9 +332,10 @@ store_ntlmkey(krb5_context context, krb5_ccache id,
     krb5_error_code ret;
     krb5_data data;
     char *name;
+    int aret;
 
-    asprintf(&name, "ntlm-key-%s", domain);
-    if (name == NULL) {
+    aret = asprintf(&name, "ntlm-key-%s", domain);
+    if (aret == -1 || name == NULL) {
 	krb5_clear_error_message(context);
 	return ENOMEM;
     }
@@ -549,10 +550,15 @@ get_new_tickets(krb5_context context,
 
 	if (passwd[0] == '\0') {
 	    char *p, *prompt;
+	    int aret = 0;
 
-	    krb5_unparse_name (context, principal, &p);
-	    asprintf (&prompt, N_("%s's Password: ", ""), p);
-	    free (p);
+	    ret = krb5_unparse_name (context, principal, &p);
+	    if (!ret) {
+		aret = asprintf (&prompt, N_("%s's Password: ", ""), p);
+		free (p);
+	    }
+	    if (ret || aret == -1)
+		errx(1, "failed to generate passwd prompt: not enough memory");
 
 	    if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
 		memset(passwd, 0, sizeof(passwd));

kuser/kswitch.c

@@ -146,13 +146,14 @@ kswitch(struct kswitch_options *opt, int argc, char **argv)
     } else if (opt->cache_string) {
 	const krb5_cc_ops *ops;
 	char *str;
+	int aret;
 
 	ops = krb5_cc_get_prefix_ops(kcc_context, opt->type_string);
 	if (ops == NULL)
 	    krb5_err(kcc_context, 1, 0, "krb5_cc_get_prefix_ops");
 
-	asprintf(&str, "%s:%s", ops->prefix, opt->cache_string);
-	if (str == NULL)
+	aret = asprintf(&str, "%s:%s", ops->prefix, opt->cache_string);
+	if (aret == -1)
 	    krb5_errx(kcc_context, 1, N_("out of memory", ""));
 
 	ret = krb5_cc_resolve(kcc_context, str, &id);

kuser/kverify.c

@@ -37,8 +37,8 @@ static int help_flag = 0;
 static int version_flag = 0;
 
 static struct getargs args[] = {
-    { "version", 	0,   arg_flag, &version_flag },
-    { "help",		0,   arg_flag, &help_flag }
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",		0,   arg_flag, &help_flag,    NULL, NULL }
 };
 
 static void

lib/asn1/asn1_gen.c

@@ -150,8 +150,8 @@ doit(const char *fn)
 static int version_flag;
 static int help_flag;
 struct getargs args[] = {
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 

lib/asn1/asn1_print.c

@@ -315,10 +315,11 @@ doit (const char *filename)
 static int version_flag;
 static int help_flag;
 struct getargs args[] = {
-    { "indent", 0, arg_negative_flag, &indent_flag },
-    { "inner", 0, arg_flag, &inner_flag, "try to parse inner structures of OCTET STRING" },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "indent", 0, arg_negative_flag, &indent_flag, NULL, NULL },
+    { "inner", 0, arg_flag, &inner_flag,
+      "try to parse inner structures of OCTET STRING", NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 

lib/asn1/check-common.c

@@ -178,15 +178,20 @@ static RETSIGTYPE
 segv_handler(int sig)
 {
     int fd;
+    ssize_t ret;
     char msg[] = "SIGSEGV i current test: ";
 
     fd = open("/dev/stdout", O_WRONLY, 0600);
     if (fd >= 0) {
-	write(fd, msg, sizeof(msg));
-	write(fd, current_test, strlen(current_test));
-	write(fd, " ", 1);
-	write(fd, current_state, strlen(current_state));
-	write(fd, "\n", 1);
+	ret = write(fd, msg, sizeof(msg));
+	if (ret != -1)
+	    ret = write(fd, current_test, strlen(current_test));
+	if (ret != -1)
+	    ret = write(fd, " ", 1);
+	if (ret != -1)
+	    ret = write(fd, current_state, strlen(current_state));
+	if (ret != -1)
+	    ret = write(fd, "\n", 1);
 	close(fd);
     }
     _exit(1);

lib/asn1/check-der.c

@@ -58,16 +58,16 @@ static int
 test_integer (void)
 {
     struct test_case tests[] = {
-	{NULL, 1, "\x00"},
-	{NULL, 1, "\x7f"},
-	{NULL, 2, "\x00\x80"},
-	{NULL, 2, "\x01\x00"},
-	{NULL, 1, "\x80"},
-	{NULL, 2, "\xff\x7f"},
-	{NULL, 1, "\xff"},
-	{NULL, 2, "\xff\x01"},
-	{NULL, 2, "\x00\xff"},
-	{NULL, 4, "\x7f\xff\xff\xff"}
+	{NULL, 1, "\x00",		NULL},
+	{NULL, 1, "\x7f",		NULL},
+	{NULL, 2, "\x00\x80",		NULL},
+	{NULL, 2, "\x01\x00",		NULL},
+	{NULL, 1, "\x80",		NULL},
+	{NULL, 2, "\xff\x7f",		NULL},
+	{NULL, 1, "\xff",		NULL},
+	{NULL, 2, "\xff\x01",		NULL},
+	{NULL, 2, "\x00\xff",		NULL},
+	{NULL, 4, "\x7f\xff\xff\xff",	NULL}
     };
 
     int values[] = {0, 127, 128, 256, -128, -129, -1, -255, 255,
@@ -184,14 +184,14 @@ static int
 test_unsigned (void)
 {
     struct test_case tests[] = {
-	{NULL, 1, "\x00"},
-	{NULL, 1, "\x7f"},
-	{NULL, 2, "\x00\x80"},
-	{NULL, 2, "\x01\x00"},
-	{NULL, 2, "\x02\x00"},
-	{NULL, 3, "\x00\x80\x00"},
-	{NULL, 5, "\x00\x80\x00\x00\x00"},
-	{NULL, 4, "\x7f\xff\xff\xff"}
+	{NULL, 1, "\x00",			NULL},
+	{NULL, 1, "\x7f",			NULL},
+	{NULL, 2, "\x00\x80",			NULL},
+	{NULL, 2, "\x01\x00",			NULL},
+	{NULL, 2, "\x02\x00",			NULL},
+	{NULL, 3, "\x00\x80\x00",		NULL},
+	{NULL, 5, "\x00\x80\x00\x00\x00",	NULL},
+	{NULL, 4, "\x7f\xff\xff\xff",		NULL}
     };
 
     unsigned int values[] = {0, 127, 128, 256, 512, 32768,
@@ -237,7 +237,7 @@ test_octet_string (void)
     heim_octet_string s1 = {8, "\x01\x23\x45\x67\x89\xab\xcd\xef"};
 
     struct test_case tests[] = {
-	{NULL, 8, "\x01\x23\x45\x67\x89\xab\xcd\xef"}
+	{NULL, 8, "\x01\x23\x45\x67\x89\xab\xcd\xef", NULL}
     };
     int ntests = sizeof(tests) / sizeof(*tests);
     int ret;
@@ -278,8 +278,8 @@ test_bmp_string (void)
     heim_bmp_string s2 = { 2, bmp_d2 };
 
     struct test_case tests[] = {
-	{NULL, 2, "\x00\x20"},
-	{NULL, 4, "\x00\x20\x00\x20"}
+	{NULL, 2, "\x00\x20",		NULL},
+	{NULL, 4, "\x00\x20\x00\x20",	NULL}
     };
     int ntests = sizeof(tests) / sizeof(*tests);
     int ret;
@@ -326,8 +326,8 @@ test_universal_string (void)
     heim_universal_string s2 = { 2, universal_d2 };
 
     struct test_case tests[] = {
-	{NULL, 4, "\x00\x00\x00\x20"},
-	{NULL, 8, "\x00\x00\x00\x20\x00\x00\x00\x20"}
+	{NULL, 4, "\x00\x00\x00\x20",			NULL},
+	{NULL, 8, "\x00\x00\x00\x20\x00\x00\x00\x20",	NULL}
     };
     int ntests = sizeof(tests) / sizeof(*tests);
     int ret;
@@ -370,7 +370,7 @@ test_general_string (void)
     char *s1 = "Test User 1";
 
     struct test_case tests[] = {
-	{NULL, 11, "\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31"}
+	{NULL, 11, "\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31", NULL}
     };
     int ret, ntests = sizeof(tests) / sizeof(*tests);
 
@@ -404,8 +404,8 @@ static int
 test_generalized_time (void)
 {
     struct test_case tests[] = {
-	{NULL, 15, "19700101000000Z"},
-	{NULL, 15, "19851106210627Z"}
+	{NULL, 15, "19700101000000Z",	NULL},
+	{NULL, 15, "19851106210627Z",	NULL}
     };
     time_t values[] = {0, 500159187};
     int i, ret;
@@ -446,10 +446,10 @@ static int
 test_oid (void)
 {
     struct test_case tests[] = {
-	{NULL, 2, "\x29\x01"},
-	{NULL, 1, "\x29"},
-	{NULL, 2, "\xff\x01"},
-	{NULL, 1, "\xff"}
+	{NULL, 2, "\x29\x01",	NULL},
+	{NULL, 1, "\x29",	NULL},
+	{NULL, 2, "\xff\x01",	NULL},
+	{NULL, 1, "\xff",	NULL}
     };
     heim_oid values[] = {
 	{ 3, oid_comp1 },
@@ -490,7 +490,7 @@ static int
 test_bit_string (void)
 {
     struct test_case tests[] = {
-	{NULL, 1, "\x00"}
+	{NULL, 1, "\x00", NULL}
     };
     heim_bit_string values[] = {
 	{ 0, "" }
@@ -528,13 +528,13 @@ static int
 test_heim_integer (void)
 {
     struct test_case tests[] = {
-	{NULL, 2, "\xfe\x01"},
-	{NULL, 2, "\xef\x01"},
-	{NULL, 3, "\xff\x00\xff"},
-	{NULL, 3, "\xff\x01\x00"},
-	{NULL, 1, "\x00"},
-	{NULL, 1, "\x01"},
-	{NULL, 2, "\x00\x80"}
+	{NULL, 2, "\xfe\x01",		NULL},
+	{NULL, 2, "\xef\x01",		NULL},
+	{NULL, 3, "\xff\x00\xff",	NULL},
+	{NULL, 3, "\xff\x01\x00",	NULL},
+	{NULL, 1, "\x00",		NULL},
+	{NULL, 1, "\x01",		NULL},
+	{NULL, 2, "\x00\x80",		NULL}
     };
 
     heim_integer values[] = {
@@ -592,8 +592,8 @@ static int
 test_boolean (void)
 {
     struct test_case tests[] = {
-	{NULL, 1, "\xff"},
-	{NULL, 1, "\x00"}
+	{NULL, 1, "\xff", NULL},
+	{NULL, 1, "\x00", NULL}
     };
 
     int values[] = { 1, 0 };

lib/asn1/check-gen.c

@@ -98,18 +98,21 @@ test_principal (void)
     struct test_case tests[] = {
 	{ NULL, 29,
 	  "\x30\x1b\xa0\x10\x30\x0e\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b"
-	  "\x03\x6c\x68\x61\xa1\x07\x1b\x05\x53\x55\x2e\x53\x45"
+	  "\x03\x6c\x68\x61\xa1\x07\x1b\x05\x53\x55\x2e\x53\x45",
+	  NULL
 	},
 	{ NULL, 35,
 	  "\x30\x21\xa0\x16\x30\x14\xa0\x03\x02\x01\x01\xa1\x0d\x30\x0b\x1b"
 	  "\x03\x6c\x68\x61\x1b\x04\x72\x6f\x6f\x74\xa1\x07\x1b\x05\x53\x55"
-	  "\x2e\x53\x45"
+	  "\x2e\x53\x45",
+	  NULL
 	},
 	{ NULL, 54,
 	  "\x30\x34\xa0\x26\x30\x24\xa0\x03\x02\x01\x03\xa1\x1d\x30\x1b\x1b"
 	  "\x04\x68\x6f\x73\x74\x1b\x13\x6e\x75\x74\x63\x72\x61\x63\x6b\x65"
 	  "\x72\x2e\x65\x2e\x6b\x74\x68\x2e\x73\x65\xa1\x0a\x1b\x08\x45\x2e"
-	  "\x4b\x54\x48\x2e\x53\x45"
+	  "\x4b\x54\x48\x2e\x53\x45",
+	  NULL
 	}
     };
 
@@ -171,7 +174,8 @@ test_authenticator (void)
 	  "\x45\x2e\x4b\x54\x48\x2e\x53\x45\xa2\x10\x30\x0e\xa0"
 	  "\x03\x02\x01\x01\xa1\x07\x30\x05\x1b\x03\x6c\x68\x61"
 	  "\xa4\x03\x02\x01\x0a\xa5\x11\x18\x0f\x31\x39\x37\x30"
-	  "\x30\x31\x30\x31\x30\x30\x30\x31\x33\x39\x5a"
+	  "\x30\x31\x30\x31\x30\x30\x30\x31\x33\x39\x5a",
+	  NULL
 	},
 	{ NULL, 67,
 	  "\x62\x41\x30\x3f\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05"
@@ -179,7 +183,8 @@ test_authenticator (void)
 	  "\x01\xa1\x0d\x30\x0b\x1b\x03\x6c\x68\x61\x1b\x04\x72"
 	  "\x6f\x6f\x74\xa4\x04\x02\x02\x01\x24\xa5\x11\x18\x0f"
 	  "\x31\x39\x37\x30\x30\x31\x30\x31\x30\x30\x31\x36\x33"
-	  "\x39\x5a"
+	  "\x39\x5a",
+	  NULL
 	}
     };
 
@@ -532,7 +537,7 @@ test_time (void)
 	  "time 1" },
 	{ NULL,  17,
 	  "\x18\x0f\x32\x30\x30\x39\x30\x35\x32\x34\x30\x32\x30\x32\x34\x30"
-	  "\x5a"
+	  "\x5a",
 	  "time 2" }
     };
 
@@ -1185,7 +1190,7 @@ check_fail_largetag(void)
 	{NULL, 0, "", "empty buffer"},
 	{NULL, 7, "\x30\x05\xa1\x03\x02\x02\x01",
 	 "one too short" },
-	{NULL, 7, "\x30\x04\xa1\x03\x02\x02\x01"
+	{NULL, 7, "\x30\x04\xa1\x03\x02\x02\x01",
 	 "two too short" },
 	{NULL, 7, "\x30\x03\xa1\x03\x02\x02\x01",
 	 "three too short" },
@@ -1220,7 +1225,7 @@ check_fail_sequence(void)
 	{NULL, 0, "", "empty buffer"},
 	{NULL, 24,
 	 "\x30\x16\xa0\x03\x02\x01\x01\xa1\x08\x30\x06\xbf\x7f\x03\x02\x01\x01"
-	 "\x02\x01\x01\xa2\x03\x02\x01\x01"
+	 "\x02\x01\x01\xa2\x03\x02\x01\x01",
 	 "missing one byte from the end, internal length ok"},
 	{NULL, 25,
 	 "\x30\x18\xa0\x03\x02\x01\x01\xa1\x08\x30\x06\xbf\x7f\x03\x02\x01\x01"

lib/asn1/gen_decode.c

@@ -193,7 +193,7 @@ range_check(const char *name,
 		 "e = ASN1_MAX_CONSTRAINT; %s;\n"
 		 "}\n",
 		 name, length, (long long)r->max, forwstr);
-    if (r->min - 1 == r->max || r->min < r->max)
+    if ((r->min - 1 == r->max || r->min < r->max) && r->min > 0)
 	fprintf (codefile,
 		 "if ((%s)->%s < %lld) {\n"
 		 "e = ASN1_MIN_CONSTRAINT; %s;\n"

lib/asn1/gen_encode.c

@@ -50,7 +50,7 @@ classname(Der_class class)
 {
     const char *cn[] = { "ASN1_C_UNIV", "ASN1_C_APPL",
 			 "ASN1_C_CONTEXT", "ASN1_C_PRIV" };
-    if(class < ASN1_C_UNIV || class > ASN1_C_PRIVATE)
+    if(class > ASN1_C_PRIVATE)
 	return "???";
     return cn[class];
 }

lib/asn1/main.c

@@ -70,16 +70,16 @@ char *option_file;
 int version_flag;
 int help_flag;
 struct getargs args[] = {
-    { "template", 0, arg_flag, &template_flag },
-    { "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring },
-    { "decode-dce-ber", 0, arg_flag, &support_ber },
-    { "support-ber", 0, arg_flag, &support_ber },
-    { "preserve-binary", 0, arg_strings, &preserve },
-    { "sequence", 0, arg_strings, &seq },
-    { "one-code-file", 0, arg_flag, &one_code_file },
-    { "option-file", 0, arg_string, &option_file },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "template", 0, arg_flag, &template_flag, NULL, NULL },
+    { "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring, NULL, NULL},
+    { "decode-dce-ber", 0, arg_flag, &support_ber, NULL, NULL },
+    { "support-ber", 0, arg_flag, &support_ber, NULL, NULL },
+    { "preserve-binary", 0, arg_strings, &preserve, NULL, NULL },
+    { "sequence", 0, arg_strings, &seq, NULL, NULL },
+    { "one-code-file", 0, arg_flag, &one_code_file, NULL, NULL },
+    { "option-file", 0, arg_string, &option_file, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 

lib/com_err/compile_et.c

@@ -186,8 +186,8 @@ generate(void)
 int version_flag;
 int help_flag;
 struct getargs args[] = {
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 

lib/gssapi/krb5/external.c

@@ -202,67 +202,131 @@ static gss_mo_desc krb5_mo[] = {
     },
     {
 	GSS_C_MA_MECH_CONCRETE,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_ITOK_FRAMED,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_AUTH_INIT,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_AUTH_TARG,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_AUTH_INIT_ANON,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_DELEG_CRED,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_INTEG_PROT,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_CONF_PROT,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_MIC,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_WRAP,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_PROT_READY,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_REPLAY_DET,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_OOS_DET,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_CBINDINGS,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_PFS,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_CTX_TRANS,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     }
 };
 

lib/gssapi/mech/gss_oid.c

@@ -254,13 +254,13 @@ struct _gss_oid_name_table _gss_ont_ma[] = {
   { GSS_C_MA_AUTH_INIT_INIT, "GSS_C_MA_AUTH_INIT_INIT", "auth-init-princ-initial", "" },
   { GSS_C_MA_MECH_CONCRETE, "GSS_C_MA_MECH_CONCRETE", "concrete-mech", "Indicates that a mech is neither a pseudo-mechanism nor a composite mechanism" },
   { GSS_C_MA_SASL_MECH_NAME, "GSS_C_MA_SASL_MECH_NAME", "SASL mechanism name", "The name of the SASL mechanism" },
-  { NULL }
+  { NULL, NULL, NULL, NULL }
 };
 
 struct _gss_oid_name_table _gss_ont_mech[] = {
   { GSS_KRB5_MECHANISM, "GSS_KRB5_MECHANISM", "Kerberos 5", "Heimdal Kerberos 5 mechanism" },
   { GSS_SPNEGO_MECHANISM, "GSS_SPNEGO_MECHANISM", "SPNEGO", "Heimdal SPNEGO mechanism" },
   { GSS_NTLM_MECHANISM, "GSS_NTLM_MECHANISM", "NTLM", "Heimdal NTLM mechanism" },
-  { NULL }
+  { NULL, NULL, NULL, NULL }
 };
 

lib/gssapi/ntlm/external.c

@@ -120,6 +120,9 @@ static gssapi_mech_interface_desc ntlm_mech = {
     NULL,
     NULL,
     NULL,
+    NULL,
+    NULL,
+    NULL,
 };
 
 gssapi_mech_interface

lib/gssapi/ntlm/init_sec_context.c

@@ -103,6 +103,7 @@ get_user_ccache(const ntlm_name name, char **username, struct ntlm_buf *key)
     krb5_error_code ret;
     char *confname;
     krb5_data data;
+    int aret;
 
     *username = NULL;
     krb5_data_zero(&data);
@@ -128,8 +129,8 @@ get_user_ccache(const ntlm_name name, char **username, struct ntlm_buf *key)
     if (ret)
 	goto out;
 
-    asprintf(&confname, "ntlm-key-%s", name->domain);
-    if (confname == NULL) {
+    aret = asprintf(&confname, "ntlm-key-%s", name->domain);
+    if (aret == -1) {
 	krb5_clear_error_message(context);
 	ret = ENOMEM;
 	goto out;

lib/gssapi/spnego/external.c

@@ -66,11 +66,19 @@ static gss_mo_desc spnego_mo[] = {
     },
     {
 	GSS_C_MA_MECH_NEGO,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_MECH_PSEUDO,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     }
 };
 
@@ -134,6 +142,9 @@ static gssapi_mech_interface_desc spnego_mech = {
     NULL,
     NULL,
     NULL,
+    NULL,
+    NULL,
+    NULL,
 };
 
 gssapi_mech_interface

lib/hdb/db3.c

@@ -176,16 +176,24 @@ DB_rename(krb5_context context, HDB *db, const char *new_name)
     int ret;
     char *old, *new;
 
-    asprintf(&old, "%s.db", db->hdb_name);
-    asprintf(&new, "%s.db", new_name);
+    ret = asprintf(&old, "%s.db", db->hdb_name);
+    if (ret == -1)
+	return ENOMEM;
+    ret = asprintf(&new, "%s.db", new_name);
+    if (ret == -1) {
+	free(old);
+	return ENOMEM;
+    }
     ret = rename(old, new);
     free(old);
-    free(new);
-    if(ret)
+    if(ret) {
+	free(new);
 	return errno;
+    }
 
     free(db->hdb_name);
-    db->hdb_name = strdup(new_name);
+    new[strlen(new) - 3] = '\0';
+    db->hdb_name = new;
     return 0;
 }
 
@@ -271,6 +279,7 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
     krb5_error_code ret;
     DB *d;
     int myflags = 0;
+    int aret;
 
     if (flags & O_CREAT)
       myflags |= DB_CREATE;
@@ -284,8 +293,8 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
     if (flags & O_TRUNC)
       myflags |= DB_TRUNCATE;
 
-    asprintf(&fn, "%s.db", db->hdb_name);
-    if (fn == NULL) {
+    aret = asprintf(&fn, "%s.db", db->hdb_name);
+    if (aret == -1) {
 	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
 	return ENOMEM;
     }

lib/hdb/dbinfo.c

@@ -153,12 +153,14 @@ hdb_get_dbinfo(krb5_context context, struct hdb_dbinfo **dbp)
 	    p = strrchr(di->dbname, '.');
 	    if(p == NULL || strchr(p, '/') != NULL)
 		/* final pathname component does not contain a . */
-		asprintf(&di->mkey_file, "%s.mkey", di->dbname);
+		ret = asprintf(&di->mkey_file, "%s.mkey", di->dbname);
 	    else
 		/* the filename is something.else, replace .else with
                    .mkey */
-		asprintf(&di->mkey_file, "%.*s.mkey",
-			 (int)(p - di->dbname), di->dbname);
+		ret = asprintf(&di->mkey_file, "%.*s.mkey",
+			       (int)(p - di->dbname), di->dbname);
+	    if (ret == -1)
+		return ENOMEM;
 	}
 	if(di->acl_file == NULL)
 	    di->acl_file = strdup(default_acl);

lib/hdb/keytab.c

@@ -420,5 +420,7 @@ krb5_kt_ops hdb_kt_ops = {
     hdb_next_entry,
     hdb_end_seq_get,
     NULL,		/* add */
-    NULL		/* remove */
+    NULL,		/* remove */
+    NULL,
+    0
 };

lib/hdb/test_dbinfo.c

@@ -38,8 +38,8 @@ static int help_flag;
 static int version_flag;
 
 struct getargs args[] = {
-    { "help",		'h',	arg_flag,   &help_flag },
-    { "version",	0,	arg_flag,   &version_flag }
+    { "help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    { "version",	0,	arg_flag,   &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);

lib/hdb/test_hdbkeys.c

@@ -40,9 +40,9 @@ static int version_flag;
 static int kvno_integer = 1;
 
 struct getargs args[] = {
-    { "kvno",		'd',	arg_integer, &kvno_integer },
-    { "help",		'h',	arg_flag,   &help_flag },
-    { "version",	0,	arg_flag,   &version_flag }
+    { "kvno",		'd',	arg_integer, &kvno_integer, NULL, NULL },
+    { "help",		'h',	arg_flag,    &help_flag,    NULL, NULL },
+    { "version",	0,	arg_flag,    &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);

lib/hdb/test_mkey.c

@@ -8,9 +8,9 @@ static int help_flag;
 static int version_flag;
 
 struct getargs args[] = {
-    { "mkey-file",	0,      arg_string, &mkey_file },
-    { "help",		'h',	arg_flag,   &help_flag },
-    { "version",	0,	arg_flag,   &version_flag }
+    { "mkey-file",	0,      arg_string, &mkey_file,    NULL, NULL },
+    { "help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    { "version",	0,	arg_flag,   &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);

lib/hx509/ca.c

@@ -965,8 +965,8 @@ build_proxy_prefix(hx509_context context, const Name *issuer, Name *subject)
     }
 
     t = time(NULL);
-    asprintf(&tstr, "ts-%lu", (unsigned long)t);
-    if (tstr == NULL) {
+    ret = asprintf(&tstr, "ts-%lu", (unsigned long)t);
+    if (ret == -1 || tstr == NULL) {
 	hx509_set_error_string(context, 0, ENOMEM,
 			       "Failed to copy subject name");
 	return ENOMEM;

lib/hx509/cert.c

@@ -3425,7 +3425,9 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
     *env = NULL;
 
     /* version */
-    asprintf(&buf, "%d", _hx509_cert_get_version(_hx509_get_cert(cert)));
+    ret = asprintf(&buf, "%d", _hx509_cert_get_version(_hx509_get_cert(cert)));
+    if (ret == -1)
+	goto out;
     ret = hx509_env_add(context, &envcert, "version", buf);
     free(buf);
     if (ret)

lib/hx509/cms.c

@@ -209,7 +209,7 @@ unparse_CMSIdentifier(hx509_context context,
 		      CMSIdentifier *id,
 		      char **str)
 {
-    int ret;
+    int ret = -1;
 
     *str = NULL;
     switch (id->element) {
@@ -227,8 +227,8 @@ unparse_CMSIdentifier(hx509_context context,
 	    free(name);
 	    return ret;
 	}
-	asprintf(str, "certificate issued by %s with serial number %s",
-		 name, serial);
+	ret = asprintf(str, "certificate issued by %s with serial number %s",
+		       name, serial);
 	free(name);
 	free(serial);
 	break;
@@ -242,15 +242,19 @@ unparse_CMSIdentifier(hx509_context context,
 	if (len < 0)
 	    return ENOMEM;
 
-	asprintf(str, "certificate with id %s", keyid);
+	ret = asprintf(str, "certificate with id %s", keyid);
 	free(keyid);
 	break;
     }
     default:
-	asprintf(str, "certificate have unknown CMSidentifier type");
+	ret = asprintf(str, "certificate have unknown CMSidentifier type");
 	break;
     }
-    if (*str == NULL)
+    /*
+     * In the following if, we check ret and *str which should be returned/set
+     * by asprintf(3) in every branch of the switch statement.
+     */
+    if (ret == -1 || *str == NULL)
 	return ENOMEM;
     return 0;
 }

lib/hx509/error.c

@@ -194,13 +194,14 @@ hx509_err(hx509_context context, int exit_code,
     va_list ap;
     const char *msg;
     char *str;
+    int ret;
 
     va_start(ap, fmt);
-    vasprintf(&str, fmt, ap);
+    ret = vasprintf(&str, fmt, ap);
     va_end(ap);
     msg = hx509_get_error_string(context, error_code);
     if (msg == NULL)
 	msg = "no error";
 
-    errx(exit_code, "%s: %s", str, msg);
+    errx(exit_code, "%s: %s", ret != -1 ? str : "ENOMEM", msg);
 }

lib/hx509/hxtool.c

@@ -372,9 +372,9 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
     infile = argv[0];
 
     if (argc < 2) {
-	asprintf(&outfile, "%s.%s", infile,
-		 opt->pem_flag ? "pem" : "cms-signeddata");
-	if (outfile == NULL)
+	ret = asprintf(&outfile, "%s.%s", infile,
+		       opt->pem_flag ? "pem" : "cms-signeddata");
+	if (ret == -1 || outfile == NULL)
 	    errx(1, "out of memory");
     } else
 	outfile = argv[1];

lib/hx509/keyset.c

@@ -752,11 +752,12 @@ _hx509_pi_printf(int (*func)(void *, const char *), void *ctx,
 {
     va_list ap;
     char *str;
+    int ret;
 
     va_start(ap, fmt);
-    vasprintf(&str, fmt, ap);
+    ret = vasprintf(&str, fmt, ap);
     va_end(ap);
-    if (str == NULL)
+    if (ret == -1 || str == NULL)
 	return;
     (*func)(ctx, str);
     free(str);

lib/hx509/ks_dir.c

@@ -211,7 +211,10 @@ static struct hx509_keyset_ops keyset_dir = {
     NULL,
     dir_iter_start,
     dir_iter,
-    dir_iter_end
+    dir_iter_end,
+    NULL,
+    NULL,
+    NULL
 };
 
 void

lib/hx509/ks_null.c

@@ -87,7 +87,10 @@ struct hx509_keyset_ops keyset_null = {
     NULL,
     null_iter_start,
     null_iter,
-    null_iter_end
+    null_iter_end,
+    NULL,
+    NULL,
+    NULL
 };
 
 void

lib/hx509/ks_p11.c

@@ -226,6 +226,7 @@ static const RSA_METHOD p11_rsa_pkcs1_method = {
     0,
     NULL,
     NULL,
+    NULL,
     NULL
 };
 
@@ -330,8 +331,10 @@ p11_init_slot(hx509_context context,
 	break;
     }
 
-    asprintf(&slot->name, "%.*s",
-	     (int)i, slot_info.slotDescription);
+    ret = asprintf(&slot->name, "%.*s", (int)i,
+		   slot_info.slotDescription);
+    if (ret == -1)
+	return ENOMEM;
 
     if ((slot_info.flags & CKF_TOKEN_PRESENT) == 0)
 	return 0;
@@ -422,7 +425,12 @@ p11_get_session(hx509_context context,
 
 	    memset(&prompt, 0, sizeof(prompt));
 
-	    asprintf(&str, "PIN code for %s: ", slot->name);
+	    ret = asprintf(&str, "PIN code for %s: ", slot->name);
+	    if (ret == -1 || str == NULL) {
+		if (context)
+		    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+		return ENOMEM;
+	    }
 	    prompt.prompt = str;
 	    prompt.type = HX509_PROMPT_TYPE_PASSWORD;
 	    prompt.reply.data = pin;
@@ -717,9 +725,9 @@ collect_cert(hx509_context context,
     if ((CK_LONG)query[2].ulValueLen != -1) {
 	char *str;
 
-	asprintf(&str, "%.*s",
-		 (int)query[2].ulValueLen, (char *)query[2].pValue);
-	if (str) {
+	ret = asprintf(&str, "%.*s",
+		       (int)query[2].ulValueLen, (char *)query[2].pValue);
+	if (ret != -1 && str) {
 	    hx509_cert_set_friendly_name(cert, str);
 	    free(str);
 	}
@@ -1176,7 +1184,9 @@ static struct hx509_keyset_ops keyset_pkcs11 = {
     p11_iter_start,
     p11_iter,
     p11_iter_end,
-    p11_printinfo
+    p11_printinfo,
+    NULL,
+    NULL
 };
 
 #endif /* HAVE_DLOPEN */

lib/hx509/ks_p12.c

@@ -697,7 +697,10 @@ static struct hx509_keyset_ops keyset_pkcs12 = {
     NULL,
     p12_iter_start,
     p12_iter,
-    p12_iter_end
+    p12_iter_end,
+    NULL,
+    NULL,
+    NULL
 };
 
 void

lib/hx509/lock.c

@@ -47,7 +47,10 @@ struct hx509_lock_data {
 };
 
 static struct hx509_lock_data empty_lock_data = {
-    { 0, NULL }
+    { 0, NULL },
+    NULL,
+    NULL,
+    NULL
 };
 
 hx509_lock _hx509_empty_lock = &empty_lock_data;

lib/hx509/softp11.c

@@ -615,7 +615,11 @@ add_certificate(const char *cert_file,
 
     if (pin) {
 	char *str;
-	asprintf(&str, "PASS:%s", pin);
+	ret = asprintf(&str, "PASS:%s", pin);
+	if (ret == -1 || !str) {
+	    st_logf("failed to allocate memory\n");
+	    return CKR_GENERAL_ERROR;
+	}
 
 	hx509_lock_init(context, &lock);
 	hx509_lock_command_string(lock, str);
@@ -815,6 +819,7 @@ get_config_file_for_user(void)
 
 #ifndef _WIN32
     char *home = NULL;
+    int ret;
 
     if (!issuid()) {
         fn = getenv("SOFTPKCS11RC");
@@ -828,9 +833,11 @@ get_config_file_for_user(void)
             home = pw->pw_dir;
     }
     if (fn == NULL) {
-        if (home)
-            asprintf(&fn, "%s/.soft-token.rc", home);
-        else
+        if (home) {
+            ret = asprintf(&fn, "%s/.soft-token.rc", home);
+	    if (ret == -1)
+		fn = NULL;
+        } else
             fn = strdup("/etc/soft-token.rc");
     }
 #else  /* Windows */
@@ -1205,8 +1212,13 @@ C_Login(CK_SESSION_HANDLE hSession,
     VERIFY_SESSION_HANDLE(hSession, NULL);
 
     if (pPin != NULL_PTR) {
-	asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
-	st_logf("type: %d password: %s\n", (int)userType, pin);
+	int aret;
+
+	aret = asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
+	if (aret != -1 && pin)
+		st_logf("type: %d password: %s\n", (int)userType, pin);
+	else
+		st_logf("memory error: asprintf failed\n");
     }
 
     /*

lib/ipc/client.c

@@ -352,10 +352,12 @@ common_path_init(const char *service,
 	return ENOMEM;
     s->fd = -1;
 
-    asprintf(&s->path, "/var/run/.heim_%s-%s", service, file);
+    if (asprintf(&s->path, "/var/run/.heim_%s-%s", service, file) == -1) {
+	free(s);
+	return ENOMEM;
+    }
 
     *ctx = s;
-
     return 0;
 }
 

lib/ipc/tc.c

@@ -46,8 +46,8 @@ static int help_flag;
 static int version_flag;
 
 static struct getargs args[] = {
-    {	"help",		'h',	arg_flag,   &help_flag },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);

lib/ipc/ts-http.c

@@ -44,8 +44,8 @@ static int help_flag;
 static int version_flag;
 
 static struct getargs args[] = {
-    {	"help",		'h',	arg_flag,   &help_flag },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);