diff --git a/appl/afsutil/afslog.c b/appl/afsutil/afslog.c
index bd6807d01..0ae61b3ae 100644
--- a/appl/afsutil/afslog.c
+++ b/appl/afsutil/afslog.c
@@ -61,15 +61,16 @@ struct getargs args[] = {
     { "cell",	'c', arg_strings, &cells, "cells to get tokens for", "cell" },
     { "file",	'p', arg_strings, &files, "files to get tokens for", "path" },
     { "realm",	'k', arg_string, &realm, "realm for afs cell", "realm" },
-    { "unlog",	'u', arg_flag, &unlog_flag, "remove tokens" },
+    { "unlog",	'u', arg_flag, &unlog_flag, "remove tokens", NULL },
 #ifdef KRB5
     { "principal",'P',arg_string,&client_string,"principal to use","principal"},
     { "cache",   0,  arg_string, &cache_string, "ccache to use", "cache"},
-    { "v5",	 0,  arg_negative_flag, &use_krb5, "don't use Kerberos 5" },
+    { "v5",	 0,  arg_negative_flag, &use_krb5, "don't use Kerberos 5",
+      NULL },
 #endif
-    { "verbose",'v', arg_flag, &verbose },
-    { "version", 0,  arg_flag, &version_flag },
-    { "help",	'h', arg_flag, &help_flag },
+    { "verbose",'v', arg_flag, &verbose, NULL, NULL },
+    { "version", 0,  arg_flag, &version_flag, NULL, NULL },
+    { "help",	'h', arg_flag, &help_flag, NULL, NULL },
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/appl/afsutil/pagsh.c b/appl/afsutil/pagsh.c
index bfc5dce87..5801441d7 100644
--- a/appl/afsutil/pagsh.c
+++ b/appl/afsutil/pagsh.c
@@ -73,12 +73,12 @@ static char *typename_arg;
 #endif
 
 struct getargs getargs[] = {
-    { NULL,	'c', arg_flag, &c_flag },
+    { NULL,	'c', arg_flag, &c_flag, NULL, NULL },
 #ifdef KRB5
-    { "cache-type", 0,  arg_string, &typename_arg },
+    { "cache-type", 0,  arg_string, &typename_arg, NULL, NULL },
 #endif
-    { "version", 0,  arg_flag, &version_flag },
-    { "help",	'h', arg_flag, &help_flag },
+    { "version", 0,  arg_flag, &version_flag, NULL, NULL },
+    { "help",	'h', arg_flag, &help_flag, NULL, NULL },
 };
 
 static int num_args = sizeof(getargs) / sizeof(getargs[0]);
diff --git a/appl/ftp/ftp/Makefile.am b/appl/ftp/ftp/Makefile.am
index e47580dfc..8bda036e5 100644
--- a/appl/ftp/ftp/Makefile.am
+++ b/appl/ftp/ftp/Makefile.am
@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+WFLAGS += $(WFLAGS_LITE)
+
 AM_CPPFLAGS += -I$(srcdir)/../common $(INCLUDE_readline) $(INCLUDE_hcrypto)
 
 bin_PROGRAMS = ftp
diff --git a/appl/ftp/ftp/cmds.c b/appl/ftp/ftp/cmds.c
index dbd5d581e..778cd563a 100644
--- a/appl/ftp/ftp/cmds.c
+++ b/appl/ftp/ftp/cmds.c
@@ -210,7 +210,7 @@ struct	types {
 	{ "image",	"I",	TYPE_I,	0 },
 	{ "ebcdic",	"E",	TYPE_E,	0 },
 	{ "tenex",	"L",	TYPE_L,	bytename },
-	{ NULL }
+	{ NULL, NULL, 0, NULL }
 };
 
 /*
@@ -1316,7 +1316,8 @@ user(int argc, char **argv)
 	if (n == CONTINUE) {
 		if (argc < 4) {
 			printf("Account: "); fflush(stdout);
-			fgets(acctstr, sizeof(acctstr) - 1, stdin);
+			if (fgets(acctstr, sizeof(acctstr) - 1, stdin) == NULL)
+				acctstr[0] = '\0';
 			acctstr[strcspn(acctstr, "\r\n")] = '\0';
 			argv[3] = acctstr; argc++;
 		}
diff --git a/appl/ftp/ftp/cmdtab.c b/appl/ftp/ftp/cmdtab.c
index 7b4c32942..f3a5493c9 100644
--- a/appl/ftp/ftp/cmdtab.c
+++ b/appl/ftp/ftp/cmdtab.c
@@ -197,7 +197,7 @@ struct cmd cmdtab[] = {
 	{ "afslog",	afsloghelp,	0,	1,	0,	afslog },
 #endif
 
-	{ 0 },
+	{ NULL, NULL, 0, 0, 0, NULL },
 };
 
 int	NCMDS = (sizeof (cmdtab) / sizeof (cmdtab[0])) - 1;
diff --git a/appl/ftp/ftpd/ftpd.c b/appl/ftp/ftpd/ftpd.c
index 5be67c866..924ea23b3 100644
--- a/appl/ftp/ftpd/ftpd.c
+++ b/appl/ftp/ftpd/ftpd.c
@@ -212,25 +212,32 @@ static int version_flag;
 static const char *good_chars = "+-=_,.";
 
 struct getargs args[] = {
-    { NULL, 'a', arg_string, &auth_string, "required authentication" },
-    { NULL, 'i', arg_flag, &interactive_flag, "don't assume stdin is a socket" },
-    { NULL, 'p', arg_string, &port_string, "what port to listen to" },
-    { NULL, 'g', arg_string, &guest_umask_string, "umask for guest logins" },
+    { NULL, 'a', arg_string, &auth_string, "required authentication", NULL },
+    { NULL, 'i', arg_flag, &interactive_flag, "don't assume stdin is a socket",
+      NULL },
+    { NULL, 'p', arg_string, &port_string, "what port to listen to", NULL },
+    { NULL, 'g', arg_string, &guest_umask_string, "umask for guest logins",
+      NULL },
     { NULL, 'l', arg_counter, &logging, "log more stuff", "" },
-    { NULL, 't', arg_integer, &ftpd_timeout, "initial timeout" },
-    { NULL, 'T', arg_integer, &maxtimeout, "max timeout" },
-    { NULL, 'u', arg_string, &umask_string, "umask for user logins" },
-    { NULL, 'U', arg_negative_flag, &restricted_data_ports, "don't use high data ports" },
-    { NULL, 'd', arg_flag, &debug, "enable debugging" },
-    { NULL, 'v', arg_flag, &debug, "enable debugging" },
-    { "builtin-ls", 'B', arg_flag, &use_builtin_ls, "use built-in ls to list files" },
-    { "good-chars", 0, arg_string, &good_chars, "allowed anonymous upload filename chars" },
-    { "insecure-oob", 'I', arg_negative_flag, &allow_insecure_oob, "don't allow insecure OOB ABOR/STAT" },
+    { NULL, 't', arg_integer, &ftpd_timeout, "initial timeout", NULL },
+    { NULL, 'T', arg_integer, &maxtimeout, "max timeout", NULL },
+    { NULL, 'u', arg_string, &umask_string, "umask for user logins", NULL },
+    { NULL, 'U', arg_negative_flag, &restricted_data_ports,
+      "don't use high data ports", NULL },
+    { NULL, 'd', arg_flag, &debug, "enable debugging", NULL },
+    { NULL, 'v', arg_flag, &debug, "enable debugging", NULL },
+    { "builtin-ls", 'B', arg_flag, &use_builtin_ls,
+      "use built-in ls to list files", NULL },
+    { "good-chars", 0, arg_string, &good_chars,
+      "allowed anonymous upload filename chars", NULL },
+    { "insecure-oob", 'I', arg_negative_flag, &allow_insecure_oob,
+      "don't allow insecure OOB ABOR/STAT", NULL },
 #ifdef KRB5
-    { "gss-bindings", 0,  arg_flag, &ftp_do_gss_bindings, "Require GSS-API bindings", NULL},
+    { "gss-bindings", 0,  arg_flag, &ftp_do_gss_bindings,
+      "Require GSS-API bindings", NULL},
 #endif
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 'h', arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
@@ -972,7 +979,7 @@ retrieve(const char *cmd, char *name)
 			{".tar.Z", "/bin/gtar ZcPf - %s", NULL},
 			{".gz", "/bin/gzip -c -- %s", "/bin/gzip -c -d -- %s"},
 			{".Z", "/bin/compress -c -- %s", "/bin/uncompress -c -- %s"},
-			{NULL, NULL}
+			{NULL, NULL, NULL}
 		    };
 		    struct cmds *p;
 		    for(p = cmds; p->ext; p++){
@@ -1272,7 +1279,7 @@ dataconn(const char *name, off_t size, const char *mode)
 		close(pdata);
 		pdata = s;
 #if defined(IPTOS_THROUGHPUT)
-		if (from->sa_family == AF_INET)
+		if (from_ss.ss_family == AF_INET)
 		    socket_set_tos(s, IPTOS_THROUGHPUT);
 #endif
 		reply(150, "Opening %s mode data connection for '%s'%s.",
diff --git a/appl/ftp/ftpd/logwtmp.c b/appl/ftp/ftpd/logwtmp.c
index 59f45b205..3a1baea69 100644
--- a/appl/ftp/ftpd/logwtmp.c
+++ b/appl/ftp/ftpd/logwtmp.c
@@ -107,7 +107,9 @@ static void
 ftpd_logwtmp_wtmp(char *line, char *name, char *host)
 {
     static int init = 0;
+#ifdef WTMP_FILE
     static int fd;
+#endif
 #ifdef WTMPX_FILE
     static int fdx;
 #endif
@@ -117,6 +119,9 @@ ftpd_logwtmp_wtmp(char *line, char *name, char *host)
 #if defined(WTMPX_FILE) || defined(HAVE_UTMPX_H)
     struct utmpx utx;
 #endif
+#if defined(WTMP_FILE) || defined(WTMPX_FILE)
+    ssize_t ret;
+#endif
 
 #ifdef HAVE_UTMPX_H
     memset(&utx, 0, sizeof(struct utmpx));
@@ -176,14 +181,18 @@ ftpd_logwtmp_wtmp(char *line, char *name, char *host)
 #endif
 	init = 1;
     }
+#if defined(WTMP_FILE) || defined(WTMPX_FILE)
     if(fd >= 0) {
 #ifdef WTMP_FILE
-	write(fd, &ut, sizeof(struct utmp)); /* XXX */
+	ret = write(fd, &ut, sizeof(struct utmp)); /* XXX */
 #endif
 #ifdef WTMPX_FILE
-	write(fdx, &utx, sizeof(struct utmpx));
+	ret = write(fdx, &utx, sizeof(struct utmpx));
 #endif
+	if (ret == -1)
+	    syslog(LOG_ERR, "ftpd_logwtmp_wtmp(): write(2) failed: %m");
     }
+#endif
 }
 
 #endif /* !HAVE_ASL_H */
diff --git a/appl/gssmask/gssmaestro.c b/appl/gssmask/gssmaestro.c
index c972cada2..90fa43536 100644
--- a/appl/gssmask/gssmaestro.c
+++ b/appl/gssmask/gssmaestro.c
@@ -280,7 +280,7 @@ wait_log(struct client *c)
     if (fd < 0)
 	err(1, "failed to build socket for %s's logging port", c->moniker);
 
-    ((struct sockaddr *)&sast)->sa_family = c->sa->sa_family;
+    sast.ss_family = c->sa->sa_family;
     ret = bind(fd, (struct sockaddr *)&sast, c->salen);
     if (ret < 0)
 	err(1, "failed to bind %s's logging port", c->moniker);
diff --git a/appl/gssmask/gssmask.c b/appl/gssmask/gssmask.c
index 98a073849..5a454fc81 100644
--- a/appl/gssmask/gssmask.c
+++ b/appl/gssmask/gssmask.c
@@ -73,10 +73,13 @@ logmessage(struct client *c, const char *file, unsigned int lineno,
     char *message;
     va_list ap;
     int32_t ackid;
+    int ret;
 
     va_start(ap, fmt);
-    vasprintf(&message, fmt, ap);
+    ret = vasprintf(&message, fmt, ap);
     va_end(ap);
+    if (ret == -1)
+	errx(1, "out of memory");
 
     if (logfile)
 	fprintf(logfile, "%s:%u: %d %s\n", file, lineno, level, message);
@@ -643,6 +646,7 @@ HandleOP(GetVersionAndCapabilities)
 {
     int32_t cap = HAS_MONIKER;
     char name[256] = "unknown", *str;
+    int ret;
 
     if (targetname)
 	cap |= ISSERVER; /* is server */
@@ -657,7 +661,9 @@ HandleOP(GetVersionAndCapabilities)
     }
 #endif
 
-    asprintf(&str, "gssmask %s %s", PACKAGE_STRING, name);
+    ret = asprintf(&str, "gssmask %s %s", PACKAGE_STRING, name);
+    if (ret == -1)
+	errx(1, "out of memory");
 
     put32(c, GSSMAGGOTPROTOCOL);
     put32(c, cap);
@@ -1084,6 +1090,7 @@ static struct client *
 create_client(int fd, int port, const char *moniker)
 {
     struct client *c;
+    int ret;
 
     c = ecalloc(1, sizeof(*c));
 
@@ -1092,9 +1099,14 @@ create_client(int fd, int port, const char *moniker)
     } else {
 	char hostname[MAXHOSTNAMELEN];
 	gethostname(hostname, sizeof(hostname));
-	asprintf(&c->moniker, "gssmask: %s:%d", hostname, port);
+	ret = asprintf(&c->moniker, "gssmask: %s:%d", hostname, port);
+	if (ret == -1)
+	    c->moniker = NULL;
     }
 
+    if (!c->moniker)
+	errx(1, "out of memory");
+
     {
 	c->salen = sizeof(c->sa);
 	getpeername(fd, (struct sockaddr *)&c->sa, &c->salen);
diff --git a/appl/kf/kf.c b/appl/kf/kf.c
index e3e72ab06..bce958b98 100644
--- a/appl/kf/kf.c
+++ b/appl/kf/kf.c
@@ -51,8 +51,8 @@ static struct getargs args[] = {
        "Forward forwardable credentials", NULL },
     { "forwardable",'G',arg_negative_flag,&forwardable,
        "Don't forward forwardable credentials", NULL },
-    { "help", 'h', arg_flag, &help_flag },
-    { "version", 0, arg_flag, &version_flag }
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/appl/kf/kfd.c b/appl/kf/kfd.c
index 71f48c935..ee76a260c 100644
--- a/appl/kf/kfd.c
+++ b/appl/kf/kfd.c
@@ -49,8 +49,8 @@ static struct getargs args[] = {
     { "inetd",'i',arg_flag, &do_inetd,
        "Not started from inetd", NULL },
     { "regpag",'R',arg_string,&regpag_str,"path to regpag binary","regpag"},
-    { "help", 'h', arg_flag, &help_flag },
-    { "version", 0, arg_flag, &version_flag }
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/appl/kx/krb5.c b/appl/kx/krb5.c
index eeb62a2d2..ded9236ef 100644
--- a/appl/kx/krb5.c
+++ b/appl/kx/krb5.c
@@ -65,17 +65,19 @@ ksyslog(krb5_context context, krb5_error_code ret, const char *fmt, ...)
     const char *msg;
     char *str = NULL;
     va_list va;
+    int aret;
 
     msg = krb5_get_error_message(context, ret);
 
     va_start(va, fmt);
-    vasprintf(&str, fmt, va);
+    aret = vasprintf(&str, fmt, va);
     va_end(va);
 
-    syslog(LOG_ERR, "%s: %s", str, msg);
+    syslog(LOG_ERR, "%s: %s", aret != -1 ? str : "(nil)", msg);
 
     krb5_free_error_message(context, msg);
-    free(str);
+    if (aret != -1)
+	free(str);
 }
 
 /*
diff --git a/appl/kx/kx.c b/appl/kx/kx.c
index ffc2e85b5..66363939b 100644
--- a/appl/kx/kx.c
+++ b/appl/kx/kx.c
@@ -616,13 +616,13 @@ struct getargs args[] = {
     { "user",	'l', arg_string,	&user,		"Run as this user",
       NULL },
     { "tcp",	't', arg_flag,		&tcp_flag,
-      "Use a TCP connection for X11" },
+      "Use a TCP connection for X11", NULL },
     { "passive", 'P', arg_flag,		&passive_flag,
-      "Force a passive connection" },
+      "Force a passive connection", NULL },
     { "keepalive", 'k', arg_negative_flag, &keepalive_flag,
-      "disable keep-alives" },
+      "disable keep-alives", NULL },
     { "debug",	'd',	arg_flag,	&debug_flag,
-      "Enable debug information" },
+      "Enable debug information", NULL },
     { "version", 0,  arg_flag,		&version_flag,	"Print version",
       NULL },
     { "help",	 0,  arg_flag,		&help_flag,	NULL,
diff --git a/appl/kx/kxd.c b/appl/kx/kxd.c
index 8598fb167..11f356f1c 100644
--- a/appl/kx/kxd.c
+++ b/appl/kx/kxd.c
@@ -336,7 +336,7 @@ doit_conn (kx_context *kc,
     }
 #endif
     memset (&__ss_addr, 0, sizeof(__ss_addr));
-    addr->sa_family = kc->thisaddr->sa_family;
+    __ss_addr.ss_family = kc->thisaddr->sa_family;
     if (kc->thisaddr_len > sizeof(__ss_addr)) {
 	syslog(LOG_ERR, "error in af");
 	return 1;
@@ -403,6 +403,7 @@ close_connection(int fd, const char *message)
     char *p;
     int lsb = 0;
     size_t mlen;
+    ssize_t ret;
 
     mlen = strlen(message);
     if(mlen > 255)
@@ -433,7 +434,7 @@ close_connection(int fd, const char *message)
 	buf[6] = 0;
 	buf[7] = (p - buf - 8) / 4;
     }
-    write(fd, buf, p - buf);
+    ret = write(fd, buf, p - buf);
     close(fd);
 }
 
@@ -707,12 +708,13 @@ static int help_flag		= 0;
 
 struct getargs args[] = {
     { "inetd",		'i',	arg_negative_flag,	&inetd_flag,
-      "Not started from inetd" },
-    { "tcp",		't',	arg_flag,	&tcp_flag,	"Use TCP" },
+      "Not started from inetd", NULL },
+    { "tcp",		't',	arg_flag,	&tcp_flag,	"Use TCP",
+      NULL },
     { "port",		'p',	arg_string,	&port_str,	"Use this port",
       "port" },
-    { "version",	0, 	arg_flag,		&version_flag },
-    { "help",		0, 	arg_flag,		&help_flag }
+    { "version",	0, 	arg_flag,	&version_flag,	NULL, NULL },
+    { "help",		0, 	arg_flag,	&help_flag,	NULL, NULL }
 };
 
 static void
diff --git a/appl/login/env.c b/appl/login/env.c
index 98ae93086..fc2e8b826 100644
--- a/appl/login/env.c
+++ b/appl/login/env.c
@@ -53,10 +53,11 @@ extend_env(char *str)
 void
 add_env(const char *var, const char *value)
 {
+    int aret;
     int i;
     char *str;
-    asprintf(&str, "%s=%s", var, value);
-    if(str == NULL)
+    aret = asprintf(&str, "%s=%s", var, value);
+    if(aret == -1)
 	errx(1, "Out of memory!");
     for(i = 0; i < num_env; i++)
 	if(strncmp(env[i], var, strlen(var)) == 0 &&
diff --git a/appl/login/limits_conf.c b/appl/login/limits_conf.c
index 1068b9670..492b14de7 100644
--- a/appl/login/limits_conf.c
+++ b/appl/login/limits_conf.c
@@ -48,7 +48,7 @@ struct limit {
     int has_limit;
     struct rlimit limit;
 } limits[] = {
-#define LIM(X, S) { #X, RLIMIT_##X, S, 0 }
+#define LIM(X, S) { #X, RLIMIT_##X, S, 0, {0, 0} }
     LIM(CORE, 1024),
     LIM(CPU, 60),
     LIM(DATA, 1024),
@@ -75,7 +75,7 @@ struct limit {
       maxlogins
       priority
     */
-    { NULL, 0 }
+    { NULL, 0, 0, 0, {0, 0}  }
 };
 
 static struct limit *
diff --git a/appl/login/login.c b/appl/login/login.c
index 6b16f0b71..1d8138b69 100644
--- a/appl/login/login.c
+++ b/appl/login/login.c
@@ -246,18 +246,19 @@ static char *remote_host;
 static char *auth_level = NULL;
 
 struct getargs args[] = {
-    { NULL, 'a', arg_string,    &auth_level,    "authentication mode" },
+    { NULL, 'a', arg_string,    &auth_level,    "authentication mode", NULL },
 #if 0
-    { NULL, 'd' },
+    { NULL, 'd', NULL,          NULL,           NULL, NULL },
 #endif
-    { NULL, 'f', arg_flag,	&f_flag,	"pre-authenticated" },
+    { NULL, 'f', arg_flag,	&f_flag,	"pre-authenticated", NULL },
     { NULL, 'h', arg_string,	&remote_host,	"remote host", "hostname" },
-    { NULL, 'p', arg_flag,	&p_flag,	"don't purge environment" },
+    { NULL, 'p', arg_flag,	&p_flag,	"don't purge environment",
+      NULL },
 #if 0
-    { NULL, 'r', arg_flag,	&r_flag,	"rlogin protocol" },
+    { NULL, 'r', arg_flag,	&r_flag,	"rlogin protocol", NULL },
 #endif
-    { "version", 0,  arg_flag,	&version_flag },
-    { "help",	 0,  arg_flag,&help_flag, }
+    { "version", 0,  arg_flag,	&version_flag,  NULL, NULL },
+    { "help",	 0,  arg_flag,&help_flag,       NULL, NULL }
 };
 
 int nargs = sizeof(args) / sizeof(args[0]);
diff --git a/appl/otp/otp.c b/appl/otp/otp.c
index ef3e4ab15..320646f7e 100644
--- a/appl/otp/otp.c
+++ b/appl/otp/otp.c
@@ -46,16 +46,16 @@ static int version_flag;
 static int help_flag;
 
 struct getargs args[] = {
-    { "list", 'l', arg_flag, &listp, "list OTP status" },
-    { "delete", 'd', arg_flag, &deletep, "delete OTP" },
-    { "open", 'o', arg_flag, &openp, "open a locked OTP" },
-    { "renew", 'r', arg_flag, &renewp, "securely renew OTP" },
+    { "list", 'l', arg_flag, &listp, "list OTP status", NULL },
+    { "delete", 'd', arg_flag, &deletep, "delete OTP", NULL },
+    { "open", 'o', arg_flag, &openp, "open a locked OTP", NULL },
+    { "renew", 'r', arg_flag, &renewp, "securely renew OTP", NULL },
     { "hash", 'f', arg_string, &alg_string,
       "hash algorithm (md4, md5, or sha)", "algorithm"},
     { "user", 'u', arg_string, &user,
       "user other than current user (root only)", "user" },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 'h', arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL }
 };
 
 int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/appl/otp/otpprint.c b/appl/otp/otpprint.c
index 662afeb46..056309d3d 100644
--- a/appl/otp/otpprint.c
+++ b/appl/otp/otpprint.c
@@ -44,13 +44,14 @@ static int version_flag;
 static int help_flag;
 
 struct getargs args[] = {
-    { "extended", 'e', arg_flag, &extendedp, "print keys in extended format" },
-    { "count", 'n', arg_integer, &count, "number of keys to print" },
-    { "hexadecimal", 'h', arg_flag, &hexp, "output in hexadecimal" },
+    { "extended", 'e', arg_flag, &extendedp, "print keys in extended format",
+      NULL },
+    { "count", 'n', arg_integer, &count, "number of keys to print", NULL },
+    { "hexadecimal", 'h', arg_flag, &hexp, "output in hexadecimal", NULL },
     { "hash", 'f', arg_string, &alg_string,
       "hash algorithm (md4, md5, or sha)", "algorithm"},
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 
 int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/appl/popper/Makefile.am b/appl/popper/Makefile.am
index 2fb612dd6..d39c45b03 100644
--- a/appl/popper/Makefile.am
+++ b/appl/popper/Makefile.am
@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+WFLAGS += $(WFLAGS_LITE)
+
 noinst_PROGRAMS = pop_debug
 
 libexec_PROGRAMS = popper
diff --git a/appl/push/push.c b/appl/push/push.c
index 659d10214..5990c28e5 100644
--- a/appl/push/push.c
+++ b/appl/push/push.c
@@ -223,7 +223,7 @@ doit(int s,
     unsigned sent_xdele = 0;
     int out_fd;
     char from_line[128];
-    size_t from_line_length;
+    ssize_t from_line_length;
     time_t now;
     struct write_state write_state;
     unsigned int numheaders = 1;
diff --git a/appl/rcp/Makefile.am b/appl/rcp/Makefile.am
index 7bd48bac8..db7ed7f30 100644
--- a/appl/rcp/Makefile.am
+++ b/appl/rcp/Makefile.am
@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+WFLAGS += $(WFLAGS_LITE)
+
 bin_PROGRAMS = rcp
 
 rcp_SOURCES  = rcp.c util.c rcp_locl.h extern.h
diff --git a/appl/rcp/rcp.c b/appl/rcp/rcp.c
index 9297af6d7..2ad8ff607 100644
--- a/appl/rcp/rcp.c
+++ b/appl/rcp/rcp.c
@@ -58,21 +58,23 @@ static int fflag, tflag;
 static int version_flag, help_flag;
 
 struct getargs args[] = {
-    { NULL,	'4', arg_flag,		&usekrb4,	"use Kerberos 4 authentication" },
-    { NULL,	'5', arg_flag,		&usekrb5,	"use Kerberos 5 authentication" },
-    { NULL,	'F', arg_flag,		&forwardtkt,	"forward credentials" },
-    { NULL,	'K', arg_flag,		&usebroken,	"use BSD authentication" },
-    { NULL,	'P', arg_string,	&port,		"non-default port", "port" },
-    { NULL,	'p', arg_flag,		&pflag,	"preserve file permissions" },
-    { NULL,	'r', arg_flag,		&iamrecursive,	"recursive mode" },
-    { NULL,	'x', arg_flag,		&doencrypt,	"use encryption" },
-    { NULL,	'z', arg_flag,		&noencrypt,	"don't encrypt" },
-    { NULL,	'd', arg_flag,		&targetshouldbedirectory },
-    { NULL,	'e', arg_flag,		&eflag, 	"passed to rsh" },
-    { NULL,	'f', arg_flag,		&fflag },
-    { NULL,	't', arg_flag,		&tflag },
-    { "version", 0,  arg_flag,		&version_flag },
-    { "help",	 0,  arg_flag,		&help_flag }
+    { NULL,	'4', arg_flag,	 &usekrb4,	"use Kerberos 4 authentication",      NULL },
+    { NULL,	'5', arg_flag,	 &usekrb5,	"use Kerberos 5 authentication",      NULL },
+    { NULL,	'F', arg_flag,	 &forwardtkt,	"forward credentials", NULL },
+    { NULL,	'K', arg_flag,	 &usebroken,	"use BSD authentication",
+      NULL },
+    { NULL,	'P', arg_string, &port,		"non-default port", "port" },
+    { NULL,	'p', arg_flag,	 &pflag,	"preserve file permissions",
+      NULL },
+    { NULL,	'r', arg_flag,	 &iamrecursive,	"recursive mode", NULL },
+    { NULL,	'x', arg_flag,	 &doencrypt,	"use encryption", NULL },
+    { NULL,	'z', arg_flag,	 &noencrypt,	"don't encrypt", NULL },
+    { NULL,	'd', arg_flag,	 &targetshouldbedirectory, NULL, NULL },
+    { NULL,	'e', arg_flag,	 &eflag,	"passed to rsh", NULL },
+    { NULL,	'f', arg_flag,	 &fflag,	NULL, NULL },
+    { NULL,	't', arg_flag,	 &tflag,	NULL, NULL },
+    { "version", 0,  arg_flag,	 &version_flag,	NULL, NULL },
+    { "help",	 0,  arg_flag,	 &help_flag,	NULL, NULL }
 };
 
 static void
diff --git a/appl/rsh/Makefile.am b/appl/rsh/Makefile.am
index 2cd18752f..86c41b064 100644
--- a/appl/rsh/Makefile.am
+++ b/appl/rsh/Makefile.am
@@ -4,6 +4,8 @@ include $(top_srcdir)/Makefile.am.common
 
 AM_CPPFLAGS += -I$(srcdir)/../login $(INCLUDE_hcrypto)
 
+WFLAGS += $(WFLAGS_LITE)
+
 bin_PROGRAMS = rsh
 
 man_MANS = rsh.1 rshd.8
diff --git a/appl/su/su.c b/appl/su/su.c
index 902af4b04..578ee1c78 100644
--- a/appl/su/su.c
+++ b/appl/su/su.c
@@ -80,19 +80,19 @@ char tkfile[256];
 
 struct getargs args[] = {
     { "kerberos", 'K', arg_negative_flag, &kerberos_flag,
-      "don't use kerberos" },
+      "don't use kerberos", NULL },
     { NULL,	  'f', arg_flag,	  &csh_f_flag,
-      "don't read .cshrc" },
+      "don't read .cshrc", NULL },
     { "full",	  'l', arg_flag,          &full_login,
-      "simulate full login" },
+      "simulate full login", NULL },
     { NULL,	  'm', arg_flag,          &env_flag,
-      "leave environment unmodified" },
+      "leave environment unmodified", NULL },
     { "instance", 'i', arg_string,        &kerberos_instance,
-      "root instance to use" },
+      "root instance to use", NULL },
     { "command",  'c', arg_string,        &cmd,
-      "command to execute" },
-    { "help", 	  'h', arg_flag,          &help_flag },
-    { "version",  0,   arg_flag,          &version_flag },
+      "command to execute", NULL },
+    { "help",	  'h', arg_flag,          &help_flag, NULL, NULL },
+    { "version",  0,   arg_flag,          &version_flag, NULL, NULL },
 };
 
 
diff --git a/appl/telnet/libtelnet/Makefile.am b/appl/telnet/libtelnet/Makefile.am
index 66571d5db..c296cb3bb 100644
--- a/appl/telnet/libtelnet/Makefile.am
+++ b/appl/telnet/libtelnet/Makefile.am
@@ -4,6 +4,8 @@ include $(top_srcdir)/Makefile.am.common
 
 AM_CPPFLAGS += -I$(srcdir)/.. $(INCLUDE_hcrypto)
 
+WFLAGS += $(WFLAGS_LITE)
+
 noinst_LIBRARIES = libtelnet.a
 
 libtelnet_a_SOURCES = \
diff --git a/appl/telnet/libtelnet/auth.c b/appl/telnet/libtelnet/auth.c
index 1c01245d1..5c8647b43 100644
--- a/appl/telnet/libtelnet/auth.c
+++ b/appl/telnet/libtelnet/auth.c
@@ -166,10 +166,10 @@ Authenticator authenticators[] = {
       rsaencpwd_status,
       rsaencpwd_printsub },
 #endif
-    { 0, },
+    { 0, 0, NULL, NULL, NULL, NULL, NULL, NULL },
 };
 
-static Authenticator NoAuth = { 0 };
+static Authenticator NoAuth = { 0, 0, NULL, NULL, NULL, NULL, NULL, NULL };
 
 static int	i_support = 0;
 static int	i_wont_support = 0;
diff --git a/appl/telnet/libtelnet/encrypt.c b/appl/telnet/libtelnet/encrypt.c
index 58e081d42..1d3df9323 100644
--- a/appl/telnet/libtelnet/encrypt.c
+++ b/appl/telnet/libtelnet/encrypt.c
@@ -128,7 +128,7 @@ static long i_support_encrypt = typemask(ENCTYPE_DES_CFB64)
 	   ofb64_keyid,
 	   ofb64_printsub },
 #endif
-	 { 0, },
+	 { 0, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL },
      };
 
 static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
diff --git a/appl/telnet/telnet/Makefile.am b/appl/telnet/telnet/Makefile.am
index 34e0fe641..dec8b1ec3 100644
--- a/appl/telnet/telnet/Makefile.am
+++ b/appl/telnet/telnet/Makefile.am
@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+WFLAGS += $(WFLAGS_LITE)
+
 AM_CPPFLAGS += -I$(srcdir)/.. $(INCLUDE_hcrypto)
 
 bin_PROGRAMS = telnet
diff --git a/appl/telnet/telnetd/Makefile.am b/appl/telnet/telnetd/Makefile.am
index d8f5b19f3..7e384fa0e 100644
--- a/appl/telnet/telnetd/Makefile.am
+++ b/appl/telnet/telnetd/Makefile.am
@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+WFLAGS += $(WFLAGS_LITE)
+
 AM_CPPFLAGS += -I$(srcdir)/.. $(INCLUDE_hcrypto)
 
 libexec_PROGRAMS = telnetd
diff --git a/appl/telnet/telnetd/utility.c b/appl/telnet/telnetd/utility.c
index 48d2cf5e2..5b0129c0f 100644
--- a/appl/telnet/telnetd/utility.c
+++ b/appl/telnet/telnetd/utility.c
@@ -87,7 +87,7 @@ ttloop(void)
 int
 stilloob(int s)
 {
-    static struct timeval timeout = { 0 };
+    static struct timeval timeout = { 0, 0 };
     fd_set	excepts;
     int value;
 
diff --git a/appl/test/Makefile.am b/appl/test/Makefile.am
index 85f613748..15ed68fca 100644
--- a/appl/test/Makefile.am
+++ b/appl/test/Makefile.am
@@ -2,6 +2,8 @@
 
 include $(top_srcdir)/Makefile.am.common
 
+WFLAGS += $(WFLAGS_LITE)
+
 noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
 	uu_server uu_client nt_gss_server nt_gss_client http_client
 
diff --git a/appl/test/common.c b/appl/test/common.c
index e0cf264af..40158846b 100644
--- a/appl/test/common.c
+++ b/appl/test/common.c
@@ -51,9 +51,9 @@ static struct getargs args[] = {
     { "keytab", 'k', arg_string, &keytab_str, "keytab to use", "keytab" },
     { "mech", 'm', arg_string, &mech, "gssapi mech to use", "mech" },
     { "password", 'P', arg_string, &password, "password to use", "password" },
-    { "fork", 'f', arg_flag, &fork_flag, "do fork" },
-    { "help", 'h', arg_flag, &help_flag },
-    { "version", 0, arg_flag, &version_flag }
+    { "fork", 'f', arg_flag, &fork_flag, "do fork", NULL },
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/appl/test/http_client.c b/appl/test/http_client.c
index c9e1c8492..90a587aac 100644
--- a/appl/test/http_client.c
+++ b/appl/test/http_client.c
@@ -117,15 +117,17 @@ static char *port_str = "http";
 static char *gss_service = "HTTP";
 
 static struct getargs http_args[] = {
-    { "verbose", 'v', arg_flag, &verbose_flag, "verbose logging", },
+    { "verbose", 'v', arg_flag, &verbose_flag, "verbose logging", NULL },
     { "port", 'p', arg_string, &port_str, "port to connect to", "port" },
-    { "delegate", 0, arg_flag, &delegate_flag, "gssapi delegate credential" },
+    { "delegate", 0, arg_flag, &delegate_flag, "gssapi delegate credential",
+      NULL },
     { "gss-service", 's', arg_string, &gss_service, "gssapi service to use",
       "service" },
     { "mech", 'm', arg_string, &mech, "gssapi mech to use", "mech" },
-    { "mutual", 0, arg_negative_flag, &mutual_flag, "no gssapi mutual auth" },
-    { "help", 'h', arg_flag, &help_flag },
-    { "version", 0, arg_flag, &version_flag }
+    { "mutual", 0, arg_negative_flag, &mutual_flag, "no gssapi mutual auth",
+      NULL },
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL }
 };
 
 static int num_http_args = sizeof(http_args) / sizeof(http_args[0]);
diff --git a/appl/test/nt_gss_server.c b/appl/test/nt_gss_server.c
index cdfee1ea5..d6f7cc1be 100644
--- a/appl/test/nt_gss_server.c
+++ b/appl/test/nt_gss_server.c
@@ -58,8 +58,8 @@ static struct getargs args[] = {
     { "service", 's', arg_string, &service, "service to use", "service" },
     { "dump-auth", 0, arg_string, &auth_file, "dump authorization data",
       "file" },
-    { "help", 'h', arg_flag, &help_flag },
-    { "version", 0, arg_flag, &version_flag }
+    { "help", 'h', arg_flag, &help_flag, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/base/bsearch.c b/base/bsearch.c
index 24fd77cfa..278962172 100644
--- a/base/bsearch.c
+++ b/base/bsearch.c
@@ -171,7 +171,7 @@ bsearch_common(const char *buf, size_t sz, const char *key,
 
     /* Binary search; file should be sorted */
     for (l = 0, r = rmax = sz, i = sz >> 1; i >= l && i < rmax; loop_count++) {
-	heim_assert(i >= 0 && i < sz, "invalid aname2lname db index");
+	heim_assert(i < sz, "invalid aname2lname db index");
 
 	/* buf[i] is likely in the middle of a line; find the next line */
 	linep = find_line(buf, i, rmax);
diff --git a/base/test_base.c b/base/test_base.c
index 78a1c4f4c..838e6cfe2 100644
--- a/base/test_base.c
+++ b/base/test_base.c
@@ -279,7 +279,7 @@ test_json(void)
 	for (k = strlen(j[i]) - 1; k > 0; k--) {
 	    o = heim_json_create_with_bytes(j[i], k, 10, 0, NULL);
 	    if (o != NULL) {
-		fprintf(stderr, "Invalid JSON parsed: %.*s\n", k, j[i]);
+		fprintf(stderr, "Invalid JSON parsed: %.*s\n", (int)k, j[i]);
 		return EINVAL;
 	    }
 	}
@@ -585,14 +585,22 @@ static void
 test_db_iter(heim_data_t k, heim_data_t v, void *arg)
 {
     int *ret = arg;
+    const void *kptr, *vptr;
+    size_t klen, vlen;
 
     heim_assert(heim_get_tid(k) == heim_data_get_type_id(), "...");
 
-    if (heim_data_get_length(k) == strlen("msg") && strncmp(heim_data_get_ptr(k), "msg", strlen("msg")) == 0 &&
-	heim_data_get_length(v) == strlen("abc") && strncmp(heim_data_get_ptr(v), "abc", strlen("abc")) == 0)
+    kptr = heim_data_get_ptr(k);
+    klen = heim_data_get_length(k);
+    vptr = heim_data_get_ptr(v);
+    vlen = heim_data_get_length(v);
+
+    if (klen == strlen("msg") && !strncmp(kptr, "msg", strlen("msg")) &&
+	vlen == strlen("abc") && !strncmp(vptr, "abc", strlen("abc")))
 	*ret &= ~(1);
-    else if (heim_data_get_length(k) == strlen("msg2") && strncmp(heim_data_get_ptr(k), "msg2", strlen("msg2")) == 0 &&
-	heim_data_get_length(v) == strlen("FooBar") && strncmp(heim_data_get_ptr(v), "FooBar", strlen("FooBar")) == 0)
+    else if (klen == strlen("msg2") &&
+	!strncmp(kptr, "msg2", strlen("msg2")) &&
+	vlen == strlen("FooBar") && !strncmp(vptr, "FooBar", strlen("FooBar")))
 	*ret &= ~(2);
     else
 	*ret |= 4;
diff --git a/cf/roken-frag.m4 b/cf/roken-frag.m4
index 7e9f8da11..3a06bb4a2 100644
--- a/cf/roken-frag.m4
+++ b/cf/roken-frag.m4
@@ -28,7 +28,7 @@ dnl C characteristics
 AC_REQUIRE([AC_C___ATTRIBUTE__])
 AC_REQUIRE([AC_C_INLINE])
 AC_REQUIRE([AC_C_CONST])
-rk_WFLAGS(-Wall -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
+rk_WFLAGS(-Wall -Wextra -Wno-sign-compare -Wno-unused-parameter -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast -Wmissing-declarations -Wnested-externs)
 
 AC_REQUIRE([rk_DB])
 
diff --git a/cf/wflags.m4 b/cf/wflags.m4
index f610ac61e..53472b8cf 100644
--- a/cf/wflags.m4
+++ b/cf/wflags.m4
@@ -20,10 +20,16 @@ if test -z "$WFLAGS" -a "$GCC" = "yes"; then
   #   -Wmissing-declarations -Wnested-externs
   #   -Wstrict-overflow=5
   WFLAGS="ifelse($#, 0,-Wall, $1) $dwflags"
-  WFLAGS_NOUNUSED="-Wno-unused"
   WFLAGS_NOIMPLICITINT="-Wno-implicit-int"
+
+  #
+  # WFLAGS_LITE can be appended to WFLAGS to turn off a host of warnings
+  # that fail for various bits of older code in appl/.  Let's not use it
+  # for the main libraries, though.
+
+  WFLAGS_LITE="-Wno-extra -Wno-missing-field-initializers -Wno-strict-aliasing -Wno-unused-result"
 fi
 AC_SUBST(WFLAGS)dnl
-AC_SUBST(WFLAGS_NOUNUSED)dnl
+AC_SUBST(WFLAGS_LITE)dnl
 AC_SUBST(WFLAGS_NOIMPLICITINT)dnl
 ])
diff --git a/kadmin/add-random-users.c b/kadmin/add-random-users.c
index c3beaf206..64f22f5d1 100644
--- a/kadmin/add-random-users.c
+++ b/kadmin/add-random-users.c
@@ -139,8 +139,8 @@ static int version_flag	= 0;
 static int help_flag	= 0;
 
 static struct getargs args[] = {
-    { "version", 	0,   arg_flag, &version_flag },
-    { "help",		0,   arg_flag, &help_flag }
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",		0,   arg_flag, &help_flag,    NULL, NULL }
 };
 
 static void
diff --git a/kadmin/ank.c b/kadmin/ank.c
index 7ed66ff73..c1488d035 100644
--- a/kadmin/ank.c
+++ b/kadmin/ank.c
@@ -125,10 +125,18 @@ add_one_principal (const char *name,
     } else if(password == NULL) {
 	char *princ_name;
 	char *prompt;
+	int aret;
 
-	krb5_unparse_name(context, princ_ent, &princ_name);
-	asprintf (&prompt, "%s's Password: ", princ_name);
+	ret = krb5_unparse_name(context, princ_ent, &princ_name);
+	if (ret)
+	    goto out;
+	aret = asprintf (&prompt, "%s's Password: ", princ_name);
 	free (princ_name);
+	if (aret == -1) {
+	    ret = ENOMEM;
+	    krb5_set_error_message(context, ret, "out of memory");
+	    goto out;
+	}
 	ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), prompt, 1);
 	free (prompt);
 	if (ret) {
diff --git a/kadmin/cpw.c b/kadmin/cpw.c
index a5ca9ff74..425575d89 100644
--- a/kadmin/cpw.c
+++ b/kadmin/cpw.c
@@ -85,14 +85,19 @@ set_password (krb5_principal principal, char *password, int keepold)
 {
     krb5_error_code ret = 0;
     char pwbuf[128];
+    int aret;
 
     if(password == NULL) {
 	char *princ_name;
 	char *prompt;
 
-	krb5_unparse_name(context, principal, &princ_name);
-	asprintf(&prompt, "%s's Password: ", princ_name);
+	ret = krb5_unparse_name(context, principal, &princ_name);
+	if (ret)
+	    return ret;
+	aret = asprintf(&prompt, "%s's Password: ", princ_name);
 	free (princ_name);
+	if (aret == -1)
+	    return ENOMEM;
 	ret = UI_UTIL_read_pw_string(pwbuf, sizeof(pwbuf), prompt, 1);
 	free (prompt);
 	if(ret){
diff --git a/kadmin/get.c b/kadmin/get.c
index 6c2bc78d0..802b65dc5 100644
--- a/kadmin/get.c
+++ b/kadmin/get.c
@@ -66,7 +66,7 @@ static struct field_name {
     { "aliases", KADM5_TL_DATA, KRB5_TL_ALIASES, 0, "Aliases", "Aliases", 0 },
     { "hist-kvno-diff-clnt", KADM5_TL_DATA, KRB5_TL_HIST_KVNO_DIFF_CLNT, 0, "Clnt hist keys", "Historic keys allowed for client", 0 },
     { "hist-kvno-diff-svc", KADM5_TL_DATA, KRB5_TL_HIST_KVNO_DIFF_SVC, 0, "Svc hist keys", "Historic keys allowed for service", 0 },
-    { NULL }
+    { NULL, 0, 0, 0, NULL, NULL, 0 }
 };
 
 struct field_info {
@@ -125,12 +125,17 @@ format_keytype(krb5_key_data *k, krb5_salt *def_salt, char *buf, size_t buf_len)
 {
     krb5_error_code ret;
     char *s;
+    int aret;
 
+    buf[0] = '\0';
     ret = krb5_enctype_to_string (context,
 				  k->key_data_type[0],
 				  &s);
-    if (ret)
-	asprintf (&s, "unknown(%d)", k->key_data_type[0]);
+    if (ret) {
+	aret = asprintf (&s, "unknown(%d)", k->key_data_type[0]);
+	if (aret == -1)
+	    return;	/* Nothing to do here, we have no way to pass the err */
+    }
     strlcpy(buf, s, buf_len);
     free(s);
 
@@ -140,21 +145,29 @@ format_keytype(krb5_key_data *k, krb5_salt *def_salt, char *buf, size_t buf_len)
 				   k->key_data_type[0],
 				   k->key_data_type[1],
 				   &s);
-    if (ret)
-	asprintf (&s, "unknown(%d)", k->key_data_type[1]);
+    if (ret) {
+	aret = asprintf (&s, "unknown(%d)", k->key_data_type[1]);
+	if (aret == -1)
+	    return;	/* Again, nothing else to do... */
+    }
     strlcat(buf, s, buf_len);
     free(s);
 
+    aret = 0;
     if (cmp_salt(def_salt, k) == 0)
 	s = strdup("");
     else if(k->key_data_length[1] == 0)
 	s = strdup("()");
     else
-	asprintf (&s, "(%.*s)", k->key_data_length[1],
-		  (char *)k->key_data_contents[1]);
+	aret = asprintf (&s, "(%.*s)", k->key_data_length[1],
+			 (char *)k->key_data_contents[1]);
+    if (aret == -1 || s == NULL)
+	return;		/* Again, nothing else we can do... */
     strlcat(buf, s, buf_len);
     free(s);
-    asprintf (&s, "[%d]", k->key_data_kvno);
+    aret = asprintf (&s, "[%d]", k->key_data_kvno);
+    if (aret == -1)
+	return;
     strlcat(buf, ")", buf_len);
 
     strlcat(buf, s, buf_len);
diff --git a/kadmin/kadmin.c b/kadmin/kadmin.c
index 538507476..602ef91a5 100644
--- a/kadmin/kadmin.c
+++ b/kadmin/kadmin.c
@@ -159,6 +159,7 @@ main(int argc, char **argv)
     kadm5_config_params conf;
     int optidx = 0;
     int exit_status = 0;
+    int aret;
 
     setprogname(argv[0]);
 
@@ -181,8 +182,8 @@ main(int argc, char **argv)
     argv += optidx;
 
     if (config_file == NULL) {
-	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
-	if (config_file == NULL)
+	aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (aret == -1)
 	    errx(1, "out of memory");
     }
 
diff --git a/kadmin/kadmind.c b/kadmin/kadmind.c
index f99f95723..ba6aabcd9 100644
--- a/kadmin/kadmind.c
+++ b/kadmin/kadmind.c
@@ -119,8 +119,10 @@ main(int argc, char **argv)
     argv += optidx;
 
     if (config_file == NULL) {
-	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
-	if (config_file == NULL)
+	int aret;
+
+	aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (aret == -1)
 	    errx(1, "out of memory");
     }
 
diff --git a/kadmin/stash.c b/kadmin/stash.c
index f9b940ac5..9585535e1 100644
--- a/kadmin/stash.c
+++ b/kadmin/stash.c
@@ -45,6 +45,7 @@ stash(struct stash_options *opt, int argc, char **argv)
     krb5_error_code ret;
     krb5_enctype enctype;
     hdb_master_key mkey;
+    int aret;
 
     if(!local_flag) {
 	krb5_warnx(context, "stash is only available in local (-l) mode");
@@ -58,8 +59,8 @@ stash(struct stash_options *opt, int argc, char **argv)
     }
 
     if(opt->key_file_string == NULL) {
-	asprintf(&opt->key_file_string, "%s/m-key", hdb_db_dir(context));
-	if (opt->key_file_string == NULL)
+	aret = asprintf(&opt->key_file_string, "%s/m-key", hdb_db_dir(context));
+	if (aret == -1)
 	    errx(1, "out of memory");
     }
 
@@ -108,10 +109,16 @@ stash(struct stash_options *opt, int argc, char **argv)
     }
 
     {
-	char *new, *old;
-	asprintf(&old, "%s.old", opt->key_file_string);
-	asprintf(&new, "%s.new", opt->key_file_string);
-	if(old == NULL || new == NULL) {
+	char *new = NULL, *old = NULL;
+	int aret;
+
+	aret = asprintf(&old, "%s.old", opt->key_file_string);
+	if (aret == -1) {
+	    ret = ENOMEM;
+	    goto out;
+	}
+	aret = asprintf(&new, "%s.new", opt->key_file_string);
+	if (aret == -1) {
 	    ret = ENOMEM;
 	    goto out;
 	}
diff --git a/kcm/cache.c b/kcm/cache.c
index 1bd220c8a..a527369f7 100644
--- a/kcm/cache.c
+++ b/kcm/cache.c
@@ -42,12 +42,15 @@ char *kcm_ccache_nextid(pid_t pid, uid_t uid, gid_t gid)
 {
     unsigned n;
     char *name;
+    int ret;
 
     HEIMDAL_MUTEX_lock(&ccache_mutex);
     n = ++ccache_nextid;
     HEIMDAL_MUTEX_unlock(&ccache_mutex);
 
-    asprintf(&name, "%ld:%u", (long)uid, n);
+    ret = asprintf(&name, "%ld:%u", (long)uid, n);
+    if (ret == -1)
+	return NULL;
 
     return name;
 }
diff --git a/kcm/config.c b/kcm/config.c
index 26c48be3c..8659c0a99 100644
--- a/kcm/config.c
+++ b/kcm/config.c
@@ -86,22 +86,22 @@ static struct getargs args[] = {
     },
     {
 	"launchd",	0,	arg_flag, &launchd_flag,
-	"when in use by launchd"
+	"when in use by launchd", NULL
     },
 #ifdef SUPPORT_DETACH
 #if DETACH_IS_DEFAULT
     {
 	"detach",       'D',      arg_negative_flag, &detach_from_console,
-	"don't detach from console"
+	"don't detach from console", NULL
     },
 #else
     {
 	"detach",       0 ,      arg_flag, &detach_from_console,
-	"detach from console"
+	"detach from console", NULL
     },
 #endif
 #endif
-    {	"help",		'h',	arg_flag,   &help_flag },
+    {	"help",		'h',	arg_flag,   &help_flag, NULL, NULL },
     {
 	"system-principal",	'k',	arg_string,	&system_principal,
 	"system principal name",	"principal"
@@ -116,11 +116,11 @@ static struct getargs args[] = {
     },
     {
 	"name-constraints",	'n', arg_negative_flag, &name_constraints,
-	"disable credentials cache name constraints"
+	"disable credentials cache name constraints", NULL
     },
     {
 	"disallow-getting-krbtgt", 0, arg_flag, &disallow_getting_krbtgt,
-	"disable fetching krbtgt from the cache"
+	"disable fetching krbtgt from the cache", NULL
     },
     {
 	"renewable-life",	'r', arg_string, &renew_life,
@@ -148,7 +148,7 @@ static struct getargs args[] = {
 	"user",		'u',	arg_string,	&system_user,
 	"system cache owner",	"user"
     },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/kcm/glue.c b/kcm/glue.c
index 8b0d17226..b4a131963 100644
--- a/kcm/glue.c
+++ b/kcm/glue.c
@@ -263,7 +263,16 @@ static const krb5_cc_ops krb5_kcmss_ops = {
     kcmss_end_get,
     kcmss_remove_cred,
     kcmss_set_flags,
-    kcmss_get_version
+    kcmss_get_version,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
+    NULL,
 };
 
 krb5_error_code
diff --git a/kcm/main.c b/kcm/main.c
index 2b3af2220..71681bd4a 100644
--- a/kcm/main.c
+++ b/kcm/main.c
@@ -102,7 +102,8 @@ main(int argc, char **argv)
 #endif
 #ifdef SUPPORT_DETACH
     if (detach_from_console)
-	daemon(0, 0);
+	if (daemon(0, 0) == -1)
+	    err(1, "daemon");
 #endif
     pidfile(NULL);
 
diff --git a/kcm/protocol.c b/kcm/protocol.c
index 0cf7157b7..5d7a63503 100644
--- a/kcm/protocol.c
+++ b/kcm/protocol.c
@@ -1070,6 +1070,7 @@ kcm_op_get_default_cache(krb5_context context,
     krb5_error_code ret;
     const char *name = NULL;
     char *n = NULL;
+    int aret;
 
     KCM_LOG_REQUEST(context, client, opcode);
 
@@ -1083,8 +1084,9 @@ kcm_op_get_default_cache(krb5_context context,
 	name = n = kcm_ccache_first_name(client);
 
     if (name == NULL) {
-	asprintf(&n, "%d", (int)client->uid);
-	name = n;
+	aret = asprintf(&n, "%d", (int)client->uid);
+	if (aret != -1)
+	    name = n;
     }
     if (name == NULL)
 	return ENOMEM;
diff --git a/kdc/config.c b/kdc/config.c
index 485f20be2..bc5820c75 100644
--- a/kdc/config.c
+++ b/kdc/config.c
@@ -181,10 +181,11 @@ configure(krb5_context context, int argc, char **argv, int *optidx)
 
     {
 	char **files;
+	int aret;
 
 	if (config_file == NULL) {
-	    asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
-	    if (config_file == NULL)
+	    aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	    if (aret == -1 || config_file == NULL)
 		errx(1, "out of memory");
 	}
 
diff --git a/kdc/digest.c b/kdc/digest.c
index 5c90e9e2a..9dfe220f6 100644
--- a/kdc/digest.c
+++ b/kdc/digest.c
@@ -406,11 +406,12 @@ _kdc_do_digest(krb5_context context,
 
 	if (ireq.u.init.channel) {
 	    char *s;
+	    int aret;
 
-	    asprintf(&s, "%s-%s:%s", r.u.initReply.nonce,
-		     ireq.u.init.channel->cb_type,
-		     ireq.u.init.channel->cb_binding);
-	    if (s == NULL) {
+	    aret = asprintf(&s, "%s-%s:%s", r.u.initReply.nonce,
+			    ireq.u.init.channel->cb_type,
+			    ireq.u.init.channel->cb_binding);
+	    if (aret == -1 || s == NULL) {
 		ret = ENOMEM;
 		krb5_set_error_message(context, ret,
 				       "Failed to allocate channel binding");
@@ -427,6 +428,8 @@ _kdc_do_digest(krb5_context context,
 	}
 
 	if (strcasecmp(ireq.u.init.type, "CHAP") == 0) {
+	    int aret;
+
 	    r.u.initReply.identifier =
 		malloc(sizeof(*r.u.initReply.identifier));
 	    if (r.u.initReply.identifier == NULL) {
@@ -435,8 +438,8 @@ _kdc_do_digest(krb5_context context,
 		goto out;
 	    }
 
-	    asprintf(r.u.initReply.identifier, "%02X", identifier & 0xff);
-	    if (*r.u.initReply.identifier == NULL) {
+	    aret = asprintf(r.u.initReply.identifier, "%02X", identifier&0xff);
+	    if (aret == -1 || *r.u.initReply.identifier == NULL) {
 		ret = ENOMEM;
 		krb5_set_error_message(context, ret, "malloc: out of memory");
 		goto out;
@@ -997,10 +1000,12 @@ _kdc_do_digest(krb5_context context,
 	    }
 
 	} else {
+	    int aret;
+
 	    r.element = choice_DigestRepInner_error;
-	    asprintf(&r.u.error.reason, "Unsupported digest type %s",
-		     ireq.u.digestRequest.type);
-	    if (r.u.error.reason == NULL) {
+	    aret = asprintf(&r.u.error.reason, "Unsupported digest type %s",
+			    ireq.u.digestRequest.type);
+	    if (aret == -1 || r.u.error.reason == NULL) {
 		ret = ENOMEM;
 		krb5_set_error_message(context, ret, "malloc: out of memory");
 		goto out;
diff --git a/kdc/hpropd.c b/kdc/hpropd.c
index 75b26a15f..7dee4e7b5 100644
--- a/kdc/hpropd.c
+++ b/kdc/hpropd.c
@@ -145,7 +145,7 @@ main(int argc, char **argv)
 	if(getpeername(sock, sa, &sin_len) < 0)
 	    krb5_err(context, 1, errno, "getpeername");
 
-	if (inet_ntop(sa->sa_family,
+	if (inet_ntop(ss.ss_family,
 		      socket_get_address (sa),
 		      addr_name,
 		      sizeof(addr_name)) == NULL)
@@ -207,7 +207,11 @@ main(int argc, char **argv)
     }
 
     if(!print_dump) {
-	asprintf(&tmp_db, "%s~", database);
+	int aret;
+
+	aret = asprintf(&tmp_db, "%s~", database);
+	if (aret == -1)
+	    krb5_errx(context, 1, "hdb_create: out of memory");
 
 	ret = hdb_create(context, &db, tmp_db);
 	if(ret)
diff --git a/kdc/kdc-replay.c b/kdc/kdc-replay.c
index b0510f408..af4e55c35 100644
--- a/kdc/kdc-replay.c
+++ b/kdc/kdc-replay.c
@@ -37,11 +37,11 @@ static int version_flag;
 static int help_flag;
 
 struct getargs args[] = {
-    { "version",   0,	arg_flag, &version_flag },
-    { "help",     'h',	arg_flag, &help_flag }
+    { "version",   0,	arg_flag, &version_flag, NULL, NULL },
+    { "help",     'h',	arg_flag, &help_flag,    NULL, NULL }
 };
 
-const static int num_args = sizeof(args) / sizeof(args[0]);
+static const int num_args = sizeof(args) / sizeof(args[0]);
 
 static void
 usage(int ret)
diff --git a/kdc/kstash.c b/kdc/kstash.c
index 0b75fb8d8..4aad28e3a 100644
--- a/kdc/kstash.c
+++ b/kdc/kstash.c
@@ -66,6 +66,7 @@ main(int argc, char **argv)
 {
     char buf[1024];
     krb5_error_code ret;
+    int aret;
 
     krb5_enctype enctype;
 
@@ -84,8 +85,11 @@ main(int argc, char **argv)
 	krb5_errx(context, 1, "random-key and master-key-fd "
 		  "is mutual exclusive");
 
-    if (keyfile == NULL)
-	asprintf(&keyfile, "%s/m-key", hdb_db_dir(context));
+    if (keyfile == NULL) {
+	aret = asprintf(&keyfile, "%s/m-key", hdb_db_dir(context));
+	if (aret == -1)
+	    krb5_errx(context, 1, "out of memory");
+    }
 
     ret = krb5_string_to_enctype(context, enctype_str, &enctype);
     if(ret)
@@ -132,9 +136,21 @@ main(int argc, char **argv)
     }
 
     {
-	char *new, *old;
-	asprintf(&old, "%s.old", keyfile);
-	asprintf(&new, "%s.new", keyfile);
+	char *new = NULL, *old = NULL;
+	int aret;
+
+	aret = asprintf(&old, "%s.old", keyfile);
+	if (aret == -1) {
+	    old = NULL;
+	    ret = ENOMEM;
+	    goto out;
+	}
+	aret = asprintf(&new, "%s.new", keyfile);
+	if (aret == -1) {
+	    new = NULL;
+	    ret = ENOMEM;
+	    goto out;
+	}
 	if(unlink(new) < 0 && errno != ENOENT) {
 	    ret = errno;
 	    goto out;
diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index f56b09c40..619d4c4e9 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -2035,7 +2035,14 @@ krb5_kdc_pk_initialize(krb5_context context,
 				  "pkinit_mappings_file",
 				  NULL);
     if (file == NULL) {
-	asprintf(&fn, "%s/pki-mapping", hdb_db_dir(context));
+	int aret;
+
+	aret = asprintf(&fn, "%s/pki-mapping", hdb_db_dir(context));
+	if (aret == -1) {
+	    krb5_warnx(context, "PKINIT: out of memory");
+	    return ENOMEM;
+	}
+
 	file = fn;
     }
 
diff --git a/kpasswd/kpasswd-generator.c b/kpasswd/kpasswd-generator.c
index 952531d30..1db0bc9af 100644
--- a/kpasswd/kpasswd-generator.c
+++ b/kpasswd/kpasswd-generator.c
@@ -96,6 +96,7 @@ generate_requests (const char *filename, unsigned nreq)
 	int result_code;
 	krb5_data result_code_string, result_string;
 	char *old_pwd, *new_pwd;
+	int aret;
 
 	krb5_get_init_creds_opt_alloc (context, &opt);
 	krb5_get_init_creds_opt_set_tkt_life (opt, 300);
@@ -106,8 +107,12 @@ generate_requests (const char *filename, unsigned nreq)
 	if (ret)
 	    krb5_err (context, 1, ret, "krb5_parse_name %s", name);
 
-	asprintf (&old_pwd, "%s", name);
-	asprintf (&new_pwd, "%s2", name);
+	aret = asprintf (&old_pwd, "%s", name);
+	if (aret == -1)
+	    krb5_errx(context, 1, "out of memory");
+	aret = asprintf (&new_pwd, "%s2", name);
+	if (aret == -1)
+	    krb5_errx(context, 1, "out of memory");
 
 	ret = krb5_get_init_creds_password (context,
 					    &cred,
@@ -163,8 +168,8 @@ static int version_flag	= 0;
 static int help_flag	= 0;
 
 static struct getargs args[] = {
-    { "version", 	0,   arg_flag, &version_flag },
-    { "help",		0,   arg_flag, &help_flag }
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",		0,   arg_flag, &help_flag,    NULL, NULL }
 };
 
 static void
diff --git a/kpasswd/kpasswd.c b/kpasswd/kpasswd.c
index e681a359d..491a907f4 100644
--- a/kpasswd/kpasswd.c
+++ b/kpasswd/kpasswd.c
@@ -64,22 +64,23 @@ change_password(krb5_context context,
     krb5_error_code ret;
     char pwbuf[BUFSIZ];
     char *msg, *name;
+    int aret;
 
     krb5_data_zero (&result_code_string);
     krb5_data_zero (&result_string);
 
     name = msg = NULL;
     if (principal == NULL)
-	asprintf(&msg, "New password: ");
+	aret = asprintf(&msg, "New password: ");
     else {
 	ret = krb5_unparse_name(context, principal, &name);
 	if (ret)
 	    krb5_err(context, 1, ret, "krb5_unparse_name");
 
-	asprintf(&msg, "New password for %s: ", name);
+	aret = asprintf(&msg, "New password for %s: ", name);
     }
 
-    if (msg == NULL)
+    if (aret == -1 || msg == NULL)
 	krb5_errx (context, 1, "out of memory");
 
     ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), msg, 1);
diff --git a/kpasswd/kpasswdd.c b/kpasswd/kpasswdd.c
index 97d39fc5d..8078efd29 100644
--- a/kpasswd/kpasswdd.c
+++ b/kpasswd/kpasswdd.c
@@ -689,7 +689,7 @@ doit (krb5_keytab keytab, int port)
 
 	krb5_addr2sockaddr (context, &addrs.val[i], sa, &sa_size, port);
 
-	sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
+	sockets[i] = socket (__ss.ss_family, SOCK_DGRAM, 0);
 	if (sockets[i] < 0)
 	    krb5_err (context, 1, errno, "socket");
 	if (bind (sockets[i], sa, sa_size) < 0) {
@@ -798,6 +798,7 @@ main (int argc, char **argv)
     krb5_error_code ret;
     char **files;
     int port, i;
+    int aret;
 
     krb5_program_setup(&context, argc, argv, args, num_args, NULL);
 
@@ -809,8 +810,8 @@ main (int argc, char **argv)
     }
 
     if (config_file == NULL) {
-	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
-	if (config_file == NULL)
+	aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (aret == -1)
 	    errx(1, "out of memory");
     }
 
diff --git a/kuser/generate-requests.c b/kuser/generate-requests.c
index 8f50427ad..3a790539b 100644
--- a/kuser/generate-requests.c
+++ b/kuser/generate-requests.c
@@ -98,8 +98,8 @@ static int version_flag	= 0;
 static int help_flag	= 0;
 
 static struct getargs args[] = {
-    { "version", 	0,   arg_flag, &version_flag },
-    { "help",		0,   arg_flag, &help_flag }
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",		0,   arg_flag, &help_flag,    NULL, NULL }
 };
 
 static void
diff --git a/kuser/kdecode_ticket.c b/kuser/kdecode_ticket.c
index 2d30b5f38..edb0cc843 100644
--- a/kuser/kdecode_ticket.c
+++ b/kuser/kdecode_ticket.c
@@ -79,8 +79,8 @@ print_and_decode_tkt (krb5_context context,
 struct getargs args[] = {
     { "enctype",	'e', arg_string, &etype_str,
       "encryption type to use", "enctype"},
-    { "version", 	0,   arg_flag, &version_flag },
-    { "help",		0,   arg_flag, &help_flag }
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",		0,   arg_flag, &help_flag, NULL, NULL }
 };
 
 static void
diff --git a/kuser/kinit.c b/kuser/kinit.c
index b4c532564..5e01928ec 100644
--- a/kuser/kinit.c
+++ b/kuser/kinit.c
@@ -332,9 +332,10 @@ store_ntlmkey(krb5_context context, krb5_ccache id,
     krb5_error_code ret;
     krb5_data data;
     char *name;
+    int aret;
 
-    asprintf(&name, "ntlm-key-%s", domain);
-    if (name == NULL) {
+    aret = asprintf(&name, "ntlm-key-%s", domain);
+    if (aret == -1 || name == NULL) {
 	krb5_clear_error_message(context);
 	return ENOMEM;
     }
@@ -549,10 +550,15 @@ get_new_tickets(krb5_context context,
 
 	if (passwd[0] == '\0') {
 	    char *p, *prompt;
+	    int aret = 0;
 
-	    krb5_unparse_name (context, principal, &p);
-	    asprintf (&prompt, N_("%s's Password: ", ""), p);
-	    free (p);
+	    ret = krb5_unparse_name (context, principal, &p);
+	    if (!ret) {
+		aret = asprintf (&prompt, N_("%s's Password: ", ""), p);
+		free (p);
+	    }
+	    if (ret || aret == -1)
+		errx(1, "failed to generate passwd prompt: not enough memory");
 
 	    if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
 		memset(passwd, 0, sizeof(passwd));
diff --git a/kuser/kswitch.c b/kuser/kswitch.c
index cdb6ee11c..ba56bf274 100644
--- a/kuser/kswitch.c
+++ b/kuser/kswitch.c
@@ -146,13 +146,14 @@ kswitch(struct kswitch_options *opt, int argc, char **argv)
     } else if (opt->cache_string) {
 	const krb5_cc_ops *ops;
 	char *str;
+	int aret;
 
 	ops = krb5_cc_get_prefix_ops(kcc_context, opt->type_string);
 	if (ops == NULL)
 	    krb5_err(kcc_context, 1, 0, "krb5_cc_get_prefix_ops");
 
-	asprintf(&str, "%s:%s", ops->prefix, opt->cache_string);
-	if (str == NULL)
+	aret = asprintf(&str, "%s:%s", ops->prefix, opt->cache_string);
+	if (aret == -1)
 	    krb5_errx(kcc_context, 1, N_("out of memory", ""));
 
 	ret = krb5_cc_resolve(kcc_context, str, &id);
diff --git a/kuser/kverify.c b/kuser/kverify.c
index 64bd54a2b..83b3b00c8 100644
--- a/kuser/kverify.c
+++ b/kuser/kverify.c
@@ -37,8 +37,8 @@ static int help_flag = 0;
 static int version_flag = 0;
 
 static struct getargs args[] = {
-    { "version", 	0,   arg_flag, &version_flag },
-    { "help",		0,   arg_flag, &help_flag }
+    { "version", 	0,   arg_flag, &version_flag, NULL, NULL },
+    { "help",		0,   arg_flag, &help_flag,    NULL, NULL }
 };
 
 static void
diff --git a/lib/asn1/asn1_gen.c b/lib/asn1/asn1_gen.c
index 01dc68051..58532ee70 100644
--- a/lib/asn1/asn1_gen.c
+++ b/lib/asn1/asn1_gen.c
@@ -150,8 +150,8 @@ doit(const char *fn)
 static int version_flag;
 static int help_flag;
 struct getargs args[] = {
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 
diff --git a/lib/asn1/asn1_print.c b/lib/asn1/asn1_print.c
index 84446e0d8..59b9af3b2 100644
--- a/lib/asn1/asn1_print.c
+++ b/lib/asn1/asn1_print.c
@@ -315,10 +315,11 @@ doit (const char *filename)
 static int version_flag;
 static int help_flag;
 struct getargs args[] = {
-    { "indent", 0, arg_negative_flag, &indent_flag },
-    { "inner", 0, arg_flag, &inner_flag, "try to parse inner structures of OCTET STRING" },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "indent", 0, arg_negative_flag, &indent_flag, NULL, NULL },
+    { "inner", 0, arg_flag, &inner_flag,
+      "try to parse inner structures of OCTET STRING", NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 
diff --git a/lib/asn1/check-common.c b/lib/asn1/check-common.c
index ac96b91b1..e086082ba 100644
--- a/lib/asn1/check-common.c
+++ b/lib/asn1/check-common.c
@@ -178,15 +178,20 @@ static RETSIGTYPE
 segv_handler(int sig)
 {
     int fd;
+    ssize_t ret;
     char msg[] = "SIGSEGV i current test: ";
 
     fd = open("/dev/stdout", O_WRONLY, 0600);
     if (fd >= 0) {
-	write(fd, msg, sizeof(msg));
-	write(fd, current_test, strlen(current_test));
-	write(fd, " ", 1);
-	write(fd, current_state, strlen(current_state));
-	write(fd, "\n", 1);
+	ret = write(fd, msg, sizeof(msg));
+	if (ret != -1)
+	    ret = write(fd, current_test, strlen(current_test));
+	if (ret != -1)
+	    ret = write(fd, " ", 1);
+	if (ret != -1)
+	    ret = write(fd, current_state, strlen(current_state));
+	if (ret != -1)
+	    ret = write(fd, "\n", 1);
 	close(fd);
     }
     _exit(1);
diff --git a/lib/asn1/check-der.c b/lib/asn1/check-der.c
index fa80a4254..f4da5bc7f 100644
--- a/lib/asn1/check-der.c
+++ b/lib/asn1/check-der.c
@@ -58,16 +58,16 @@ static int
 test_integer (void)
 {
     struct test_case tests[] = {
-	{NULL, 1, "\x00"},
-	{NULL, 1, "\x7f"},
-	{NULL, 2, "\x00\x80"},
-	{NULL, 2, "\x01\x00"},
-	{NULL, 1, "\x80"},
-	{NULL, 2, "\xff\x7f"},
-	{NULL, 1, "\xff"},
-	{NULL, 2, "\xff\x01"},
-	{NULL, 2, "\x00\xff"},
-	{NULL, 4, "\x7f\xff\xff\xff"}
+	{NULL, 1, "\x00",		NULL},
+	{NULL, 1, "\x7f",		NULL},
+	{NULL, 2, "\x00\x80",		NULL},
+	{NULL, 2, "\x01\x00",		NULL},
+	{NULL, 1, "\x80",		NULL},
+	{NULL, 2, "\xff\x7f",		NULL},
+	{NULL, 1, "\xff",		NULL},
+	{NULL, 2, "\xff\x01",		NULL},
+	{NULL, 2, "\x00\xff",		NULL},
+	{NULL, 4, "\x7f\xff\xff\xff",	NULL}
     };
 
     int values[] = {0, 127, 128, 256, -128, -129, -1, -255, 255,
@@ -184,14 +184,14 @@ static int
 test_unsigned (void)
 {
     struct test_case tests[] = {
-	{NULL, 1, "\x00"},
-	{NULL, 1, "\x7f"},
-	{NULL, 2, "\x00\x80"},
-	{NULL, 2, "\x01\x00"},
-	{NULL, 2, "\x02\x00"},
-	{NULL, 3, "\x00\x80\x00"},
-	{NULL, 5, "\x00\x80\x00\x00\x00"},
-	{NULL, 4, "\x7f\xff\xff\xff"}
+	{NULL, 1, "\x00",			NULL},
+	{NULL, 1, "\x7f",			NULL},
+	{NULL, 2, "\x00\x80",			NULL},
+	{NULL, 2, "\x01\x00",			NULL},
+	{NULL, 2, "\x02\x00",			NULL},
+	{NULL, 3, "\x00\x80\x00",		NULL},
+	{NULL, 5, "\x00\x80\x00\x00\x00",	NULL},
+	{NULL, 4, "\x7f\xff\xff\xff",		NULL}
     };
 
     unsigned int values[] = {0, 127, 128, 256, 512, 32768,
@@ -237,7 +237,7 @@ test_octet_string (void)
     heim_octet_string s1 = {8, "\x01\x23\x45\x67\x89\xab\xcd\xef"};
 
     struct test_case tests[] = {
-	{NULL, 8, "\x01\x23\x45\x67\x89\xab\xcd\xef"}
+	{NULL, 8, "\x01\x23\x45\x67\x89\xab\xcd\xef", NULL}
     };
     int ntests = sizeof(tests) / sizeof(*tests);
     int ret;
@@ -278,8 +278,8 @@ test_bmp_string (void)
     heim_bmp_string s2 = { 2, bmp_d2 };
 
     struct test_case tests[] = {
-	{NULL, 2, "\x00\x20"},
-	{NULL, 4, "\x00\x20\x00\x20"}
+	{NULL, 2, "\x00\x20",		NULL},
+	{NULL, 4, "\x00\x20\x00\x20",	NULL}
     };
     int ntests = sizeof(tests) / sizeof(*tests);
     int ret;
@@ -326,8 +326,8 @@ test_universal_string (void)
     heim_universal_string s2 = { 2, universal_d2 };
 
     struct test_case tests[] = {
-	{NULL, 4, "\x00\x00\x00\x20"},
-	{NULL, 8, "\x00\x00\x00\x20\x00\x00\x00\x20"}
+	{NULL, 4, "\x00\x00\x00\x20",			NULL},
+	{NULL, 8, "\x00\x00\x00\x20\x00\x00\x00\x20",	NULL}
     };
     int ntests = sizeof(tests) / sizeof(*tests);
     int ret;
@@ -370,7 +370,7 @@ test_general_string (void)
     char *s1 = "Test User 1";
 
     struct test_case tests[] = {
-	{NULL, 11, "\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31"}
+	{NULL, 11, "\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31", NULL}
     };
     int ret, ntests = sizeof(tests) / sizeof(*tests);
 
@@ -404,8 +404,8 @@ static int
 test_generalized_time (void)
 {
     struct test_case tests[] = {
-	{NULL, 15, "19700101000000Z"},
-	{NULL, 15, "19851106210627Z"}
+	{NULL, 15, "19700101000000Z",	NULL},
+	{NULL, 15, "19851106210627Z",	NULL}
     };
     time_t values[] = {0, 500159187};
     int i, ret;
@@ -446,10 +446,10 @@ static int
 test_oid (void)
 {
     struct test_case tests[] = {
-	{NULL, 2, "\x29\x01"},
-	{NULL, 1, "\x29"},
-	{NULL, 2, "\xff\x01"},
-	{NULL, 1, "\xff"}
+	{NULL, 2, "\x29\x01",	NULL},
+	{NULL, 1, "\x29",	NULL},
+	{NULL, 2, "\xff\x01",	NULL},
+	{NULL, 1, "\xff",	NULL}
     };
     heim_oid values[] = {
 	{ 3, oid_comp1 },
@@ -490,7 +490,7 @@ static int
 test_bit_string (void)
 {
     struct test_case tests[] = {
-	{NULL, 1, "\x00"}
+	{NULL, 1, "\x00", NULL}
     };
     heim_bit_string values[] = {
 	{ 0, "" }
@@ -528,13 +528,13 @@ static int
 test_heim_integer (void)
 {
     struct test_case tests[] = {
-	{NULL, 2, "\xfe\x01"},
-	{NULL, 2, "\xef\x01"},
-	{NULL, 3, "\xff\x00\xff"},
-	{NULL, 3, "\xff\x01\x00"},
-	{NULL, 1, "\x00"},
-	{NULL, 1, "\x01"},
-	{NULL, 2, "\x00\x80"}
+	{NULL, 2, "\xfe\x01",		NULL},
+	{NULL, 2, "\xef\x01",		NULL},
+	{NULL, 3, "\xff\x00\xff",	NULL},
+	{NULL, 3, "\xff\x01\x00",	NULL},
+	{NULL, 1, "\x00",		NULL},
+	{NULL, 1, "\x01",		NULL},
+	{NULL, 2, "\x00\x80",		NULL}
     };
 
     heim_integer values[] = {
@@ -592,8 +592,8 @@ static int
 test_boolean (void)
 {
     struct test_case tests[] = {
-	{NULL, 1, "\xff"},
-	{NULL, 1, "\x00"}
+	{NULL, 1, "\xff", NULL},
+	{NULL, 1, "\x00", NULL}
     };
 
     int values[] = { 1, 0 };
diff --git a/lib/asn1/check-gen.c b/lib/asn1/check-gen.c
index 85274a696..614190548 100644
--- a/lib/asn1/check-gen.c
+++ b/lib/asn1/check-gen.c
@@ -98,18 +98,21 @@ test_principal (void)
     struct test_case tests[] = {
 	{ NULL, 29,
 	  "\x30\x1b\xa0\x10\x30\x0e\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b"
-	  "\x03\x6c\x68\x61\xa1\x07\x1b\x05\x53\x55\x2e\x53\x45"
+	  "\x03\x6c\x68\x61\xa1\x07\x1b\x05\x53\x55\x2e\x53\x45",
+	  NULL
 	},
 	{ NULL, 35,
 	  "\x30\x21\xa0\x16\x30\x14\xa0\x03\x02\x01\x01\xa1\x0d\x30\x0b\x1b"
 	  "\x03\x6c\x68\x61\x1b\x04\x72\x6f\x6f\x74\xa1\x07\x1b\x05\x53\x55"
-	  "\x2e\x53\x45"
+	  "\x2e\x53\x45",
+	  NULL
 	},
 	{ NULL, 54,
 	  "\x30\x34\xa0\x26\x30\x24\xa0\x03\x02\x01\x03\xa1\x1d\x30\x1b\x1b"
 	  "\x04\x68\x6f\x73\x74\x1b\x13\x6e\x75\x74\x63\x72\x61\x63\x6b\x65"
 	  "\x72\x2e\x65\x2e\x6b\x74\x68\x2e\x73\x65\xa1\x0a\x1b\x08\x45\x2e"
-	  "\x4b\x54\x48\x2e\x53\x45"
+	  "\x4b\x54\x48\x2e\x53\x45",
+	  NULL
 	}
     };
 
@@ -171,7 +174,8 @@ test_authenticator (void)
 	  "\x45\x2e\x4b\x54\x48\x2e\x53\x45\xa2\x10\x30\x0e\xa0"
 	  "\x03\x02\x01\x01\xa1\x07\x30\x05\x1b\x03\x6c\x68\x61"
 	  "\xa4\x03\x02\x01\x0a\xa5\x11\x18\x0f\x31\x39\x37\x30"
-	  "\x30\x31\x30\x31\x30\x30\x30\x31\x33\x39\x5a"
+	  "\x30\x31\x30\x31\x30\x30\x30\x31\x33\x39\x5a",
+	  NULL
 	},
 	{ NULL, 67,
 	  "\x62\x41\x30\x3f\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05"
@@ -179,7 +183,8 @@ test_authenticator (void)
 	  "\x01\xa1\x0d\x30\x0b\x1b\x03\x6c\x68\x61\x1b\x04\x72"
 	  "\x6f\x6f\x74\xa4\x04\x02\x02\x01\x24\xa5\x11\x18\x0f"
 	  "\x31\x39\x37\x30\x30\x31\x30\x31\x30\x30\x31\x36\x33"
-	  "\x39\x5a"
+	  "\x39\x5a",
+	  NULL
 	}
     };
 
@@ -532,7 +537,7 @@ test_time (void)
 	  "time 1" },
 	{ NULL,  17,
 	  "\x18\x0f\x32\x30\x30\x39\x30\x35\x32\x34\x30\x32\x30\x32\x34\x30"
-	  "\x5a"
+	  "\x5a",
 	  "time 2" }
     };
 
@@ -1185,7 +1190,7 @@ check_fail_largetag(void)
 	{NULL, 0, "", "empty buffer"},
 	{NULL, 7, "\x30\x05\xa1\x03\x02\x02\x01",
 	 "one too short" },
-	{NULL, 7, "\x30\x04\xa1\x03\x02\x02\x01"
+	{NULL, 7, "\x30\x04\xa1\x03\x02\x02\x01",
 	 "two too short" },
 	{NULL, 7, "\x30\x03\xa1\x03\x02\x02\x01",
 	 "three too short" },
@@ -1220,7 +1225,7 @@ check_fail_sequence(void)
 	{NULL, 0, "", "empty buffer"},
 	{NULL, 24,
 	 "\x30\x16\xa0\x03\x02\x01\x01\xa1\x08\x30\x06\xbf\x7f\x03\x02\x01\x01"
-	 "\x02\x01\x01\xa2\x03\x02\x01\x01"
+	 "\x02\x01\x01\xa2\x03\x02\x01\x01",
 	 "missing one byte from the end, internal length ok"},
 	{NULL, 25,
 	 "\x30\x18\xa0\x03\x02\x01\x01\xa1\x08\x30\x06\xbf\x7f\x03\x02\x01\x01"
diff --git a/lib/asn1/gen_decode.c b/lib/asn1/gen_decode.c
index db7696883..336b18b40 100644
--- a/lib/asn1/gen_decode.c
+++ b/lib/asn1/gen_decode.c
@@ -193,7 +193,7 @@ range_check(const char *name,
 		 "e = ASN1_MAX_CONSTRAINT; %s;\n"
 		 "}\n",
 		 name, length, (long long)r->max, forwstr);
-    if (r->min - 1 == r->max || r->min < r->max)
+    if ((r->min - 1 == r->max || r->min < r->max) && r->min > 0)
 	fprintf (codefile,
 		 "if ((%s)->%s < %lld) {\n"
 		 "e = ASN1_MIN_CONSTRAINT; %s;\n"
diff --git a/lib/asn1/gen_encode.c b/lib/asn1/gen_encode.c
index b8afceaee..f043f6097 100644
--- a/lib/asn1/gen_encode.c
+++ b/lib/asn1/gen_encode.c
@@ -50,7 +50,7 @@ classname(Der_class class)
 {
     const char *cn[] = { "ASN1_C_UNIV", "ASN1_C_APPL",
 			 "ASN1_C_CONTEXT", "ASN1_C_PRIV" };
-    if(class < ASN1_C_UNIV || class > ASN1_C_PRIVATE)
+    if(class > ASN1_C_PRIVATE)
 	return "???";
     return cn[class];
 }
diff --git a/lib/asn1/main.c b/lib/asn1/main.c
index f22dc8792..2c20013c1 100644
--- a/lib/asn1/main.c
+++ b/lib/asn1/main.c
@@ -70,16 +70,16 @@ char *option_file;
 int version_flag;
 int help_flag;
 struct getargs args[] = {
-    { "template", 0, arg_flag, &template_flag },
-    { "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring },
-    { "decode-dce-ber", 0, arg_flag, &support_ber },
-    { "support-ber", 0, arg_flag, &support_ber },
-    { "preserve-binary", 0, arg_strings, &preserve },
-    { "sequence", 0, arg_strings, &seq },
-    { "one-code-file", 0, arg_flag, &one_code_file },
-    { "option-file", 0, arg_string, &option_file },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "template", 0, arg_flag, &template_flag, NULL, NULL },
+    { "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring, NULL, NULL},
+    { "decode-dce-ber", 0, arg_flag, &support_ber, NULL, NULL },
+    { "support-ber", 0, arg_flag, &support_ber, NULL, NULL },
+    { "preserve-binary", 0, arg_strings, &preserve, NULL, NULL },
+    { "sequence", 0, arg_strings, &seq, NULL, NULL },
+    { "one-code-file", 0, arg_flag, &one_code_file, NULL, NULL },
+    { "option-file", 0, arg_string, &option_file, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 
diff --git a/lib/com_err/compile_et.c b/lib/com_err/compile_et.c
index c72abdecc..c0700583e 100644
--- a/lib/com_err/compile_et.c
+++ b/lib/com_err/compile_et.c
@@ -186,8 +186,8 @@ generate(void)
 int version_flag;
 int help_flag;
 struct getargs args[] = {
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 
diff --git a/lib/gssapi/krb5/external.c b/lib/gssapi/krb5/external.c
index f31244678..deae016bc 100644
--- a/lib/gssapi/krb5/external.c
+++ b/lib/gssapi/krb5/external.c
@@ -202,67 +202,131 @@ static gss_mo_desc krb5_mo[] = {
     },
     {
 	GSS_C_MA_MECH_CONCRETE,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_ITOK_FRAMED,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_AUTH_INIT,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_AUTH_TARG,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_AUTH_INIT_ANON,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_DELEG_CRED,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_INTEG_PROT,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_CONF_PROT,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_MIC,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_WRAP,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_PROT_READY,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_REPLAY_DET,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_OOS_DET,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_CBINDINGS,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_PFS,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_CTX_TRANS,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     }
 };
 
diff --git a/lib/gssapi/mech/gss_oid.c b/lib/gssapi/mech/gss_oid.c
index 916d1e4dd..de70cca6a 100644
--- a/lib/gssapi/mech/gss_oid.c
+++ b/lib/gssapi/mech/gss_oid.c
@@ -254,13 +254,13 @@ struct _gss_oid_name_table _gss_ont_ma[] = {
   { GSS_C_MA_AUTH_INIT_INIT, "GSS_C_MA_AUTH_INIT_INIT", "auth-init-princ-initial", "" },
   { GSS_C_MA_MECH_CONCRETE, "GSS_C_MA_MECH_CONCRETE", "concrete-mech", "Indicates that a mech is neither a pseudo-mechanism nor a composite mechanism" },
   { GSS_C_MA_SASL_MECH_NAME, "GSS_C_MA_SASL_MECH_NAME", "SASL mechanism name", "The name of the SASL mechanism" },
-  { NULL }
+  { NULL, NULL, NULL, NULL }
 };
 
 struct _gss_oid_name_table _gss_ont_mech[] = {
   { GSS_KRB5_MECHANISM, "GSS_KRB5_MECHANISM", "Kerberos 5", "Heimdal Kerberos 5 mechanism" },
   { GSS_SPNEGO_MECHANISM, "GSS_SPNEGO_MECHANISM", "SPNEGO", "Heimdal SPNEGO mechanism" },
   { GSS_NTLM_MECHANISM, "GSS_NTLM_MECHANISM", "NTLM", "Heimdal NTLM mechanism" },
-  { NULL }
+  { NULL, NULL, NULL, NULL }
 };
 
diff --git a/lib/gssapi/ntlm/external.c b/lib/gssapi/ntlm/external.c
index d0474f4ec..aea76cb78 100644
--- a/lib/gssapi/ntlm/external.c
+++ b/lib/gssapi/ntlm/external.c
@@ -120,6 +120,9 @@ static gssapi_mech_interface_desc ntlm_mech = {
     NULL,
     NULL,
     NULL,
+    NULL,
+    NULL,
+    NULL,
 };
 
 gssapi_mech_interface
diff --git a/lib/gssapi/ntlm/init_sec_context.c b/lib/gssapi/ntlm/init_sec_context.c
index bae04e174..384e9815a 100644
--- a/lib/gssapi/ntlm/init_sec_context.c
+++ b/lib/gssapi/ntlm/init_sec_context.c
@@ -103,6 +103,7 @@ get_user_ccache(const ntlm_name name, char **username, struct ntlm_buf *key)
     krb5_error_code ret;
     char *confname;
     krb5_data data;
+    int aret;
 
     *username = NULL;
     krb5_data_zero(&data);
@@ -128,8 +129,8 @@ get_user_ccache(const ntlm_name name, char **username, struct ntlm_buf *key)
     if (ret)
 	goto out;
 
-    asprintf(&confname, "ntlm-key-%s", name->domain);
-    if (confname == NULL) {
+    aret = asprintf(&confname, "ntlm-key-%s", name->domain);
+    if (aret == -1) {
 	krb5_clear_error_message(context);
 	ret = ENOMEM;
 	goto out;
diff --git a/lib/gssapi/spnego/external.c b/lib/gssapi/spnego/external.c
index ca06d46e8..937ab1d11 100644
--- a/lib/gssapi/spnego/external.c
+++ b/lib/gssapi/spnego/external.c
@@ -66,11 +66,19 @@ static gss_mo_desc spnego_mo[] = {
     },
     {
 	GSS_C_MA_MECH_NEGO,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     },
     {
 	GSS_C_MA_MECH_PSEUDO,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
     }
 };
 
@@ -134,6 +142,9 @@ static gssapi_mech_interface_desc spnego_mech = {
     NULL,
     NULL,
     NULL,
+    NULL,
+    NULL,
+    NULL,
 };
 
 gssapi_mech_interface
diff --git a/lib/hdb/db3.c b/lib/hdb/db3.c
index e4d326b4a..6155bc8ef 100644
--- a/lib/hdb/db3.c
+++ b/lib/hdb/db3.c
@@ -176,16 +176,24 @@ DB_rename(krb5_context context, HDB *db, const char *new_name)
     int ret;
     char *old, *new;
 
-    asprintf(&old, "%s.db", db->hdb_name);
-    asprintf(&new, "%s.db", new_name);
+    ret = asprintf(&old, "%s.db", db->hdb_name);
+    if (ret == -1)
+	return ENOMEM;
+    ret = asprintf(&new, "%s.db", new_name);
+    if (ret == -1) {
+	free(old);
+	return ENOMEM;
+    }
     ret = rename(old, new);
     free(old);
-    free(new);
-    if(ret)
+    if(ret) {
+	free(new);
 	return errno;
+    }
 
     free(db->hdb_name);
-    db->hdb_name = strdup(new_name);
+    new[strlen(new) - 3] = '\0';
+    db->hdb_name = new;
     return 0;
 }
 
@@ -271,6 +279,7 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
     krb5_error_code ret;
     DB *d;
     int myflags = 0;
+    int aret;
 
     if (flags & O_CREAT)
       myflags |= DB_CREATE;
@@ -284,8 +293,8 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
     if (flags & O_TRUNC)
       myflags |= DB_TRUNCATE;
 
-    asprintf(&fn, "%s.db", db->hdb_name);
-    if (fn == NULL) {
+    aret = asprintf(&fn, "%s.db", db->hdb_name);
+    if (aret == -1) {
 	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
 	return ENOMEM;
     }
diff --git a/lib/hdb/dbinfo.c b/lib/hdb/dbinfo.c
index 52e394106..a85e3fc50 100644
--- a/lib/hdb/dbinfo.c
+++ b/lib/hdb/dbinfo.c
@@ -153,12 +153,14 @@ hdb_get_dbinfo(krb5_context context, struct hdb_dbinfo **dbp)
 	    p = strrchr(di->dbname, '.');
 	    if(p == NULL || strchr(p, '/') != NULL)
 		/* final pathname component does not contain a . */
-		asprintf(&di->mkey_file, "%s.mkey", di->dbname);
+		ret = asprintf(&di->mkey_file, "%s.mkey", di->dbname);
 	    else
 		/* the filename is something.else, replace .else with
                    .mkey */
-		asprintf(&di->mkey_file, "%.*s.mkey",
-			 (int)(p - di->dbname), di->dbname);
+		ret = asprintf(&di->mkey_file, "%.*s.mkey",
+			       (int)(p - di->dbname), di->dbname);
+	    if (ret == -1)
+		return ENOMEM;
 	}
 	if(di->acl_file == NULL)
 	    di->acl_file = strdup(default_acl);
diff --git a/lib/hdb/keytab.c b/lib/hdb/keytab.c
index c72b797da..84a8ea9c0 100644
--- a/lib/hdb/keytab.c
+++ b/lib/hdb/keytab.c
@@ -420,5 +420,7 @@ krb5_kt_ops hdb_kt_ops = {
     hdb_next_entry,
     hdb_end_seq_get,
     NULL,		/* add */
-    NULL		/* remove */
+    NULL,		/* remove */
+    NULL,
+    0
 };
diff --git a/lib/hdb/test_dbinfo.c b/lib/hdb/test_dbinfo.c
index efe50afb6..b94b75bb3 100644
--- a/lib/hdb/test_dbinfo.c
+++ b/lib/hdb/test_dbinfo.c
@@ -38,8 +38,8 @@ static int help_flag;
 static int version_flag;
 
 struct getargs args[] = {
-    { "help",		'h',	arg_flag,   &help_flag },
-    { "version",	0,	arg_flag,   &version_flag }
+    { "help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    { "version",	0,	arg_flag,   &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/lib/hdb/test_hdbkeys.c b/lib/hdb/test_hdbkeys.c
index 873c00f3a..ce4e59fa1 100644
--- a/lib/hdb/test_hdbkeys.c
+++ b/lib/hdb/test_hdbkeys.c
@@ -40,9 +40,9 @@ static int version_flag;
 static int kvno_integer = 1;
 
 struct getargs args[] = {
-    { "kvno",		'd',	arg_integer, &kvno_integer },
-    { "help",		'h',	arg_flag,   &help_flag },
-    { "version",	0,	arg_flag,   &version_flag }
+    { "kvno",		'd',	arg_integer, &kvno_integer, NULL, NULL },
+    { "help",		'h',	arg_flag,    &help_flag,    NULL, NULL },
+    { "version",	0,	arg_flag,    &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/lib/hdb/test_mkey.c b/lib/hdb/test_mkey.c
index 11032d078..97399c6b5 100644
--- a/lib/hdb/test_mkey.c
+++ b/lib/hdb/test_mkey.c
@@ -8,9 +8,9 @@ static int help_flag;
 static int version_flag;
 
 struct getargs args[] = {
-    { "mkey-file",	0,      arg_string, &mkey_file },
-    { "help",		'h',	arg_flag,   &help_flag },
-    { "version",	0,	arg_flag,   &version_flag }
+    { "mkey-file",	0,      arg_string, &mkey_file,    NULL, NULL },
+    { "help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    { "version",	0,	arg_flag,   &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/lib/hx509/ca.c b/lib/hx509/ca.c
index cb5a7be62..e2a95fe7e 100644
--- a/lib/hx509/ca.c
+++ b/lib/hx509/ca.c
@@ -965,8 +965,8 @@ build_proxy_prefix(hx509_context context, const Name *issuer, Name *subject)
     }
 
     t = time(NULL);
-    asprintf(&tstr, "ts-%lu", (unsigned long)t);
-    if (tstr == NULL) {
+    ret = asprintf(&tstr, "ts-%lu", (unsigned long)t);
+    if (ret == -1 || tstr == NULL) {
 	hx509_set_error_string(context, 0, ENOMEM,
 			       "Failed to copy subject name");
 	return ENOMEM;
diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 70e575603..75b7b3810 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -3425,7 +3425,9 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
     *env = NULL;
 
     /* version */
-    asprintf(&buf, "%d", _hx509_cert_get_version(_hx509_get_cert(cert)));
+    ret = asprintf(&buf, "%d", _hx509_cert_get_version(_hx509_get_cert(cert)));
+    if (ret == -1)
+	goto out;
     ret = hx509_env_add(context, &envcert, "version", buf);
     free(buf);
     if (ret)
diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c
index 4e0a2e03f..49a948570 100644
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -209,7 +209,7 @@ unparse_CMSIdentifier(hx509_context context,
 		      CMSIdentifier *id,
 		      char **str)
 {
-    int ret;
+    int ret = -1;
 
     *str = NULL;
     switch (id->element) {
@@ -227,8 +227,8 @@ unparse_CMSIdentifier(hx509_context context,
 	    free(name);
 	    return ret;
 	}
-	asprintf(str, "certificate issued by %s with serial number %s",
-		 name, serial);
+	ret = asprintf(str, "certificate issued by %s with serial number %s",
+		       name, serial);
 	free(name);
 	free(serial);
 	break;
@@ -242,15 +242,19 @@ unparse_CMSIdentifier(hx509_context context,
 	if (len < 0)
 	    return ENOMEM;
 
-	asprintf(str, "certificate with id %s", keyid);
+	ret = asprintf(str, "certificate with id %s", keyid);
 	free(keyid);
 	break;
     }
     default:
-	asprintf(str, "certificate have unknown CMSidentifier type");
+	ret = asprintf(str, "certificate have unknown CMSidentifier type");
 	break;
     }
-    if (*str == NULL)
+    /*
+     * In the following if, we check ret and *str which should be returned/set
+     * by asprintf(3) in every branch of the switch statement.
+     */
+    if (ret == -1 || *str == NULL)
 	return ENOMEM;
     return 0;
 }
diff --git a/lib/hx509/error.c b/lib/hx509/error.c
index 32c92cf1b..be09414bf 100644
--- a/lib/hx509/error.c
+++ b/lib/hx509/error.c
@@ -194,13 +194,14 @@ hx509_err(hx509_context context, int exit_code,
     va_list ap;
     const char *msg;
     char *str;
+    int ret;
 
     va_start(ap, fmt);
-    vasprintf(&str, fmt, ap);
+    ret = vasprintf(&str, fmt, ap);
     va_end(ap);
     msg = hx509_get_error_string(context, error_code);
     if (msg == NULL)
 	msg = "no error";
 
-    errx(exit_code, "%s: %s", str, msg);
+    errx(exit_code, "%s: %s", ret != -1 ? str : "ENOMEM", msg);
 }
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index 4bd467f42..204110b03 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -372,9 +372,9 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
     infile = argv[0];
 
     if (argc < 2) {
-	asprintf(&outfile, "%s.%s", infile,
-		 opt->pem_flag ? "pem" : "cms-signeddata");
-	if (outfile == NULL)
+	ret = asprintf(&outfile, "%s.%s", infile,
+		       opt->pem_flag ? "pem" : "cms-signeddata");
+	if (ret == -1 || outfile == NULL)
 	    errx(1, "out of memory");
     } else
 	outfile = argv[1];
diff --git a/lib/hx509/keyset.c b/lib/hx509/keyset.c
index c0275d949..fcfc0b3b7 100644
--- a/lib/hx509/keyset.c
+++ b/lib/hx509/keyset.c
@@ -752,11 +752,12 @@ _hx509_pi_printf(int (*func)(void *, const char *), void *ctx,
 {
     va_list ap;
     char *str;
+    int ret;
 
     va_start(ap, fmt);
-    vasprintf(&str, fmt, ap);
+    ret = vasprintf(&str, fmt, ap);
     va_end(ap);
-    if (str == NULL)
+    if (ret == -1 || str == NULL)
 	return;
     (*func)(ctx, str);
     free(str);
diff --git a/lib/hx509/ks_dir.c b/lib/hx509/ks_dir.c
index 264b1bf55..1740dfe42 100644
--- a/lib/hx509/ks_dir.c
+++ b/lib/hx509/ks_dir.c
@@ -211,7 +211,10 @@ static struct hx509_keyset_ops keyset_dir = {
     NULL,
     dir_iter_start,
     dir_iter,
-    dir_iter_end
+    dir_iter_end,
+    NULL,
+    NULL,
+    NULL
 };
 
 void
diff --git a/lib/hx509/ks_null.c b/lib/hx509/ks_null.c
index 136d2d434..5ac0beb7b 100644
--- a/lib/hx509/ks_null.c
+++ b/lib/hx509/ks_null.c
@@ -87,7 +87,10 @@ struct hx509_keyset_ops keyset_null = {
     NULL,
     null_iter_start,
     null_iter,
-    null_iter_end
+    null_iter_end,
+    NULL,
+    NULL,
+    NULL
 };
 
 void
diff --git a/lib/hx509/ks_p11.c b/lib/hx509/ks_p11.c
index 120bf43ef..bb70f8dfe 100644
--- a/lib/hx509/ks_p11.c
+++ b/lib/hx509/ks_p11.c
@@ -226,6 +226,7 @@ static const RSA_METHOD p11_rsa_pkcs1_method = {
     0,
     NULL,
     NULL,
+    NULL,
     NULL
 };
 
@@ -330,8 +331,10 @@ p11_init_slot(hx509_context context,
 	break;
     }
 
-    asprintf(&slot->name, "%.*s",
-	     (int)i, slot_info.slotDescription);
+    ret = asprintf(&slot->name, "%.*s", (int)i,
+		   slot_info.slotDescription);
+    if (ret == -1)
+	return ENOMEM;
 
     if ((slot_info.flags & CKF_TOKEN_PRESENT) == 0)
 	return 0;
@@ -422,7 +425,12 @@ p11_get_session(hx509_context context,
 
 	    memset(&prompt, 0, sizeof(prompt));
 
-	    asprintf(&str, "PIN code for %s: ", slot->name);
+	    ret = asprintf(&str, "PIN code for %s: ", slot->name);
+	    if (ret == -1 || str == NULL) {
+		if (context)
+		    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+		return ENOMEM;
+	    }
 	    prompt.prompt = str;
 	    prompt.type = HX509_PROMPT_TYPE_PASSWORD;
 	    prompt.reply.data = pin;
@@ -717,9 +725,9 @@ collect_cert(hx509_context context,
     if ((CK_LONG)query[2].ulValueLen != -1) {
 	char *str;
 
-	asprintf(&str, "%.*s",
-		 (int)query[2].ulValueLen, (char *)query[2].pValue);
-	if (str) {
+	ret = asprintf(&str, "%.*s",
+		       (int)query[2].ulValueLen, (char *)query[2].pValue);
+	if (ret != -1 && str) {
 	    hx509_cert_set_friendly_name(cert, str);
 	    free(str);
 	}
@@ -1176,7 +1184,9 @@ static struct hx509_keyset_ops keyset_pkcs11 = {
     p11_iter_start,
     p11_iter,
     p11_iter_end,
-    p11_printinfo
+    p11_printinfo,
+    NULL,
+    NULL
 };
 
 #endif /* HAVE_DLOPEN */
diff --git a/lib/hx509/ks_p12.c b/lib/hx509/ks_p12.c
index 0ca13de1e..098cb5ebe 100644
--- a/lib/hx509/ks_p12.c
+++ b/lib/hx509/ks_p12.c
@@ -697,7 +697,10 @@ static struct hx509_keyset_ops keyset_pkcs12 = {
     NULL,
     p12_iter_start,
     p12_iter,
-    p12_iter_end
+    p12_iter_end,
+    NULL,
+    NULL,
+    NULL
 };
 
 void
diff --git a/lib/hx509/lock.c b/lib/hx509/lock.c
index b72d45962..52f72dba1 100644
--- a/lib/hx509/lock.c
+++ b/lib/hx509/lock.c
@@ -47,7 +47,10 @@ struct hx509_lock_data {
 };
 
 static struct hx509_lock_data empty_lock_data = {
-    { 0, NULL }
+    { 0, NULL },
+    NULL,
+    NULL,
+    NULL
 };
 
 hx509_lock _hx509_empty_lock = &empty_lock_data;
diff --git a/lib/hx509/softp11.c b/lib/hx509/softp11.c
index 38f587e0f..2fb81a024 100644
--- a/lib/hx509/softp11.c
+++ b/lib/hx509/softp11.c
@@ -615,7 +615,11 @@ add_certificate(const char *cert_file,
 
     if (pin) {
 	char *str;
-	asprintf(&str, "PASS:%s", pin);
+	ret = asprintf(&str, "PASS:%s", pin);
+	if (ret == -1 || !str) {
+	    st_logf("failed to allocate memory\n");
+	    return CKR_GENERAL_ERROR;
+	}
 
 	hx509_lock_init(context, &lock);
 	hx509_lock_command_string(lock, str);
@@ -815,6 +819,7 @@ get_config_file_for_user(void)
 
 #ifndef _WIN32
     char *home = NULL;
+    int ret;
 
     if (!issuid()) {
         fn = getenv("SOFTPKCS11RC");
@@ -828,9 +833,11 @@ get_config_file_for_user(void)
             home = pw->pw_dir;
     }
     if (fn == NULL) {
-        if (home)
-            asprintf(&fn, "%s/.soft-token.rc", home);
-        else
+        if (home) {
+            ret = asprintf(&fn, "%s/.soft-token.rc", home);
+	    if (ret == -1)
+		fn = NULL;
+        } else
             fn = strdup("/etc/soft-token.rc");
     }
 #else  /* Windows */
@@ -1205,8 +1212,13 @@ C_Login(CK_SESSION_HANDLE hSession,
     VERIFY_SESSION_HANDLE(hSession, NULL);
 
     if (pPin != NULL_PTR) {
-	asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
-	st_logf("type: %d password: %s\n", (int)userType, pin);
+	int aret;
+
+	aret = asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
+	if (aret != -1 && pin)
+		st_logf("type: %d password: %s\n", (int)userType, pin);
+	else
+		st_logf("memory error: asprintf failed\n");
     }
 
     /*
diff --git a/lib/ipc/client.c b/lib/ipc/client.c
index bb7d9750b..a51e91c99 100644
--- a/lib/ipc/client.c
+++ b/lib/ipc/client.c
@@ -352,10 +352,12 @@ common_path_init(const char *service,
 	return ENOMEM;
     s->fd = -1;
 
-    asprintf(&s->path, "/var/run/.heim_%s-%s", service, file);
+    if (asprintf(&s->path, "/var/run/.heim_%s-%s", service, file) == -1) {
+	free(s);
+	return ENOMEM;
+    }
 
     *ctx = s;
-
     return 0;
 }
 
diff --git a/lib/ipc/tc.c b/lib/ipc/tc.c
index 8b56d21aa..b8f8e278d 100644
--- a/lib/ipc/tc.c
+++ b/lib/ipc/tc.c
@@ -46,8 +46,8 @@ static int help_flag;
 static int version_flag;
 
 static struct getargs args[] = {
-    {	"help",		'h',	arg_flag,   &help_flag },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/lib/ipc/ts-http.c b/lib/ipc/ts-http.c
index b493079d9..fbeb31956 100644
--- a/lib/ipc/ts-http.c
+++ b/lib/ipc/ts-http.c
@@ -44,8 +44,8 @@ static int help_flag;
 static int version_flag;
 
 static struct getargs args[] = {
-    {	"help",		'h',	arg_flag,   &help_flag },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/lib/ipc/ts.c b/lib/ipc/ts.c
index 680d77bc9..e0f846eee 100644
--- a/lib/ipc/ts.c
+++ b/lib/ipc/ts.c
@@ -44,8 +44,8 @@ static int help_flag;
 static int version_flag;
 
 static struct getargs args[] = {
-    {	"help",		'h',	arg_flag,   &help_flag },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };
 
 static int num_args = sizeof(args) / sizeof(args[0]);
diff --git a/lib/kadm5/ad.c b/lib/kadm5/ad.c
index 6fd42d66e..731a37e03 100644
--- a/lib/kadm5/ad.c
+++ b/lib/kadm5/ad.c
@@ -484,13 +484,14 @@ ad_get_cred(kadm5_ad_context *context, const char *password)
     kadm5_ret_t ret;
     krb5_ccache cc;
     char *service;
+    int aret;
 
     if (context->ccache)
 	return 0;
 
-    asprintf(&service, "%s/%s@%s", KRB5_TGS_NAME,
-	     context->realm, context->realm);
-    if (service == NULL)
+    aret = asprintf(&service, "%s/%s@%s", KRB5_TGS_NAME,
+		    context->realm, context->realm);
+    if (aret == -1 || service == NULL)
 	return ENOMEM;
 
     ret = _kadm5_c_get_cred_cache(context->context,
diff --git a/lib/kadm5/context_s.c b/lib/kadm5/context_s.c
index d5b9d4f25..fe716a240 100644
--- a/lib/kadm5/context_s.c
+++ b/lib/kadm5/context_s.c
@@ -130,6 +130,7 @@ find_db_spec(kadm5_server_context *ctx)
     krb5_context context = ctx->context;
     struct hdb_dbinfo *info, *d;
     krb5_error_code ret;
+    int aret;
 
     if (ctx->config.realm) {
 	/* fetch the databases */
@@ -169,12 +170,24 @@ find_db_spec(kadm5_server_context *ctx)
 
     if (ctx->config.dbname == NULL)
 	ctx->config.dbname = strdup(hdb_default_db(context));
-    if (ctx->config.acl_file == NULL)
-	asprintf(&ctx->config.acl_file, "%s/kadmind.acl", hdb_db_dir(context));
-    if (ctx->config.stash_file == NULL)
-	asprintf(&ctx->config.stash_file, "%s/m-key", hdb_db_dir(context));
-    if (ctx->log_context.log_file == NULL)
-	asprintf(&ctx->log_context.log_file, "%s/log", hdb_db_dir(context));
+    if (ctx->config.acl_file == NULL) {
+	aret = asprintf(&ctx->config.acl_file, "%s/kadmind.acl",
+			hdb_db_dir(context));
+	if (aret == -1)
+	    return ENOMEM;
+    }
+    if (ctx->config.stash_file == NULL) {
+	aret = asprintf(&ctx->config.stash_file, "%s/m-key",
+			hdb_db_dir(context));
+	if (aret == -1)
+	    return ENOMEM;
+    }
+    if (ctx->log_context.log_file == NULL) {
+	aret = asprintf(&ctx->log_context.log_file, "%s/log",
+			hdb_db_dir(context));
+	if (aret == -1)
+	    return ENOMEM;
+    }
 
 #ifndef NO_UNIX_SOCKETS
     set_socket_name(context, &ctx->log_context.socket_name);
diff --git a/lib/kadm5/get_princs_s.c b/lib/kadm5/get_princs_s.c
index a351e4390..26c3d6729 100644
--- a/lib/kadm5/get_princs_s.c
+++ b/lib/kadm5/get_princs_s.c
@@ -96,9 +96,14 @@ kadm5_s_get_principals(void *server_handle,
     d.exp = expression;
     {
 	krb5_realm r;
+	int aret;
+
 	krb5_get_default_realm(context->context, &r);
-	asprintf(&d.exp2, "%s@%s", expression, r);
+	aret = asprintf(&d.exp2, "%s@%s", expression, r);
 	free(r);
+	if (aret == -1 || d.exp2 == NULL) {
+	    return ENOMEM;
+	}
     }
     d.princs = NULL;
     d.count = 0;
diff --git a/lib/kadm5/init_c.c b/lib/kadm5/init_c.c
index f21cd32e6..f6fd6d3dc 100644
--- a/lib/kadm5/init_c.c
+++ b/lib/kadm5/init_c.c
@@ -479,11 +479,12 @@ kadm_connect(kadm5_client_context *ctx)
     }
 
     if (ctx->realm)
-	asprintf(&service_name, "%s@%s", KADM5_ADMIN_SERVICE, ctx->realm);
+	error = asprintf(&service_name, "%s@%s", KADM5_ADMIN_SERVICE,
+			 ctx->realm);
     else
-	asprintf(&service_name, "%s", KADM5_ADMIN_SERVICE);
+	error = asprintf(&service_name, "%s", KADM5_ADMIN_SERVICE);
 
-    if (service_name == NULL) {
+    if (error == -1 || service_name == NULL) {
 	freeaddrinfo (ai);
 	rk_closesocket(s);
 	krb5_clear_error_message(context);
diff --git a/lib/kadm5/iprop-log.c b/lib/kadm5/iprop-log.c
index b201de66d..598fbc52a 100644
--- a/lib/kadm5/iprop-log.c
+++ b/lib/kadm5/iprop-log.c
@@ -47,11 +47,12 @@ get_kadmin_context(const char *config_file, char *realm)
     krb5_error_code ret;
     void *kadm_handle;
     char **files;
+    int aret;
 
     if (config_file == NULL) {
 	char *file;
-	asprintf(&file, "%s/kdc.conf", hdb_db_dir(context));
-	if (file == NULL)
+	aret = asprintf(&file, "%s/kdc.conf", hdb_db_dir(context));
+	if (aret == -1 || file == NULL)
 	    errx(1, "out of memory");
 	config_file = file;
     }
diff --git a/lib/kadm5/ipropd_master.c b/lib/kadm5/ipropd_master.c
index e92526e26..a60c21ed8 100644
--- a/lib/kadm5/ipropd_master.c
+++ b/lib/kadm5/ipropd_master.c
@@ -623,24 +623,25 @@ open_stats(krb5_context context)
 {
     char *statfile = NULL;
     const char *fn;
-    FILE *f;
+    int ret;
 
     if (slave_stats_file)
 	fn = slave_stats_file;
     else {
-	asprintf(&statfile,  "%s/slaves-stats", hdb_db_dir(context));
+	ret = asprintf(&statfile,  "%s/slaves-stats", hdb_db_dir(context));
+	if (ret == -1)
+	    return NULL;
 	fn = krb5_config_get_string_default(context,
 					    NULL,
 					    statfile,
 					    "kdc",
 					    "iprop-stats",
 					    NULL);
-    }
-    f = fopen(fn, "w");
-    if (statfile)
 	free(statfile);
-
-    return f;
+    }
+    if (fn == NULL)
+	return NULL;
+    return fopen(fn, "w");
 }
 
 static void
@@ -776,6 +777,7 @@ main(int argc, char **argv)
     uint32_t current_version = 0, old_version = 0;
     krb5_keytab keytab;
     char **files;
+    int aret;
 
     (void) krb5_program_setup(&context, argc, argv, args, num_args, NULL);
 
@@ -789,8 +791,8 @@ main(int argc, char **argv)
     setup_signal();
 
     if (config_file == NULL) {
-	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
-	if (config_file == NULL)
+	aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (aret == -1 || config_file == NULL)
 	    errx(1, "out of memory");
     }
 
@@ -811,8 +813,13 @@ main(int argc, char **argv)
 	krb5_errx (context, 1, "couldn't parse time: %s", slave_time_missing);
 
 #ifdef SUPPORT_DETACH
-    if (detach_from_console)
-	daemon(0, 0);
+    if (detach_from_console) {
+	aret = daemon(0, 0);
+	if (aret == -1) {
+	    /* not much to do if detaching fails... */
+	    krb5_err(context, 1, aret, "failed to daemon(3)ise");
+	}
+    }
 #endif
     pidfile (NULL);
     krb5_openlog (context, "ipropd-master", &log_facility);
diff --git a/lib/kadm5/ipropd_slave.c b/lib/kadm5/ipropd_slave.c
index f80ac0544..55523d2ea 100644
--- a/lib/kadm5/ipropd_slave.c
+++ b/lib/kadm5/ipropd_slave.c
@@ -107,6 +107,7 @@ get_creds(krb5_context context, const char *keytab_str,
     krb5_creds creds;
     char *server;
     char keytab_buf[256];
+    int aret;
 
     if (keytab_str == NULL) {
 	ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf));
@@ -127,8 +128,8 @@ get_creds(krb5_context context, const char *keytab_str,
     ret = krb5_get_init_creds_opt_alloc(context, &init_opts);
     if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
 
-    asprintf (&server, "%s/%s", IPROP_NAME, serverhost);
-    if (server == NULL)
+    aret = asprintf (&server, "%s/%s", IPROP_NAME, serverhost);
+    if (aret == -1 || server == NULL)
 	krb5_errx (context, 1, "malloc: no memory");
 
     ret = krb5_get_init_creds_keytab(context, &creds, client, keytab,
@@ -374,7 +375,9 @@ receive_everything (krb5_context context, int fd,
 
     krb5_warnx(context, "receive complete database");
 
-    asprintf(&dbname, "%s-NEW", server_context->db->hdb_name);
+    ret = asprintf(&dbname, "%s-NEW", server_context->db->hdb_name);
+    if (ret == -1)
+	krb5_err(context, 1, ENOMEM, "asprintf");
     ret = hdb_create(context, &mydb, dbname);
     if(ret)
 	krb5_err(context,1, ret, "hdb_create");
@@ -563,6 +566,7 @@ main(int argc, char **argv)
     time_t reconnect_max;
     time_t reconnect;
     time_t before = 0;
+    int aret;
 
     const char *master;
 
@@ -615,8 +619,13 @@ main(int argc, char **argv)
     slave_status(context, status_file, "bootstrapping\n");
 
 #ifdef SUPPORT_DETACH
-    if (detach_from_console)
-	daemon(0, 0);
+    if (detach_from_console){
+	aret = daemon(0, 0);
+	if (aret == -1) {
+	    /* not much to do if detaching fails... */
+	    krb5_err(context, 1, aret, "failed to daemon(3)ise");
+	}
+    }
 #endif
     pidfile (NULL);
     krb5_openlog (context, "ipropd-slave", &log_facility);
diff --git a/lib/kadm5/log.c b/lib/kadm5/log.c
index 76084b09a..a3e23e36a 100644
--- a/lib/kadm5/log.c
+++ b/lib/kadm5/log.c
@@ -1015,9 +1015,13 @@ static HEIMDAL_MUTEX signal_mutex = HEIMDAL_MUTEX_INITIALIZER;
 const char *
 kadm5_log_signal_socket(krb5_context context)
 {
+    int ret = 0;
+
     HEIMDAL_MUTEX_lock(&signal_mutex);
     if (!default_signal)
-	asprintf(&default_signal, "%s/signal", hdb_db_dir(context));
+	ret = asprintf(&default_signal, "%s/signal", hdb_db_dir(context));
+    if (ret == -1)
+	default_signal = NULL;
     HEIMDAL_MUTEX_unlock(&signal_mutex);
 
     return krb5_config_get_string_default(context,
diff --git a/lib/kadm5/test_pw_quality.c b/lib/kadm5/test_pw_quality.c
index e3c8d2f0f..ebef429c4 100644
--- a/lib/kadm5/test_pw_quality.c
+++ b/lib/kadm5/test_pw_quality.c
@@ -42,10 +42,10 @@ static char *principal;
 static char *password;
 
 static struct getargs args[] = {
-    { "principal", 0, arg_string, &principal },
-    { "password", 0, arg_string, &password },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "principal", 0, arg_string, &principal, NULL, NULL },
+    { "password", 0, arg_string, &password, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 
diff --git a/lib/kafs/common.c b/lib/kafs/common.c
index a14eea8dd..ff42cf7ec 100644
--- a/lib/kafs/common.c
+++ b/lib/kafs/common.c
@@ -349,13 +349,19 @@ _kafs_try_get_cred(struct kafs_data *data, const char *user, const char *cell,
     if (kafs_verbose) {
 	const char *estr = (*data->get_error)(data, ret);
 	char *str;
-	asprintf(&str, "%s tried afs%s%s@%s -> %s (%d)",
-		 data->name, cell ? "/" : "",
-		 cell ? cell : "", realm, estr ? estr : "unknown", ret);
-	(*kafs_verbose)(kafs_verbose_ctx, str);
+	int aret;
+
+	aret = asprintf(&str, "%s tried afs%s%s@%s -> %s (%d)",
+			data->name, cell ? "/" : "",
+			cell ? cell : "", realm, estr ? estr : "unknown", ret);
+	if (aret != -1) {
+	    (*kafs_verbose)(kafs_verbose_ctx, str);
+	    free(str);
+	} else {
+	    (*kafs_verbose)(kafs_verbose_ctx, "out of memory");
+	}
 	if (estr)
 	    (*data->free_error)(data, estr);
-	free(str);
     }
 
     return ret;
diff --git a/lib/krb5/addr_families.c b/lib/krb5/addr_families.c
index 5d321a7e9..52252a03d 100644
--- a/lib/krb5/addr_families.c
+++ b/lib/krb5/addr_families.c
@@ -799,6 +799,7 @@ static struct addr_operations at[] = {
 	NULL,
 	NULL,
 	NULL,
+	NULL,
 	NULL
     }
 };
diff --git a/lib/krb5/config_file.c b/lib/krb5/config_file.c
index 4ac25ae28..00b3d6d58 100644
--- a/lib/krb5/config_file.c
+++ b/lib/krb5/config_file.c
@@ -444,8 +444,10 @@ krb5_config_parse_file_multi (krb5_context context,
 		home = pw->pw_dir;
 	}
 	if (home) {
-	    asprintf(&newfname, "%s%s", home, &fname[1]);
-	    if (newfname == NULL) {
+	    int aret;
+
+	    aret = asprintf(&newfname, "%s%s", home, &fname[1]);
+	    if (aret == -1 || newfname == NULL) {
 		krb5_set_error_message(context, ENOMEM,
 				       N_("malloc: out of memory", ""));
 		return ENOMEM;
diff --git a/lib/krb5/crypto-null.c b/lib/krb5/crypto-null.c
index b647a6d10..12ded391c 100644
--- a/lib/krb5/crypto-null.c
+++ b/lib/krb5/crypto-null.c
@@ -45,6 +45,9 @@ static struct _krb5_key_type keytype_null = {
     0,
     NULL,
     NULL,
+    NULL,
+    NULL,
+    NULL,
     NULL
 };
 
diff --git a/lib/krb5/derived-key-test.c b/lib/krb5/derived-key-test.c
index a67c95a54..ba58c8bce 100644
--- a/lib/krb5/derived-key-test.c
+++ b/lib/krb5/derived-key-test.c
@@ -72,7 +72,7 @@ static struct testcase {
     {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
      {0x26, 0xdc, 0xe3, 0x34, 0xb5, 0x45, 0x29, 0x2f, 0x2f, 0xea, 0xb9, 0xa8, 0x70, 0x1a, 0x89, 0xa4, 0xb9, 0x9e, 0xb9, 0x94, 0x2c, 0xec, 0xd0, 0x16},
      {0xf4, 0x8f, 0xfd, 0x6e, 0x83, 0xf8, 0x3e, 0x73, 0x54, 0xe6, 0x94, 0xfd, 0x25, 0x2c, 0xf8, 0x3b, 0xfe, 0x58, 0xf7, 0xd5, 0xba, 0x37, 0xec, 0x5d}},
-    {0}
+    {0, {0}, 0, {0}, {0}}
 };
 
 int
diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c
index 0cc866cd3..708710c3d 100644
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -2473,10 +2473,19 @@ krb5_get_init_creds_password(krb5_context context,
 	krb5_prompt prompt;
 	krb5_data password_data;
 	char *p, *q;
+	int aret = -1;
 
-	krb5_unparse_name (context, client, &p);
-	asprintf (&q, "%s's Password: ", p);
-	free (p);
+	ret = krb5_unparse_name (context, client, &p);
+	if (!ret) {
+	    aret = asprintf (&q, "%s's Password: ", p);
+	    free (p);
+	}
+	if (!ret || aret == -1 || !q) {
+	    if (!ret)
+		ret = ENOMEM;
+	    krb5_clear_error_message (context);
+	    goto out;
+	}
 	prompt.prompt = q;
 	password_data.data   = buf;
 	password_data.length = sizeof(buf);
diff --git a/lib/krb5/kcm.c b/lib/krb5/kcm.c
index 5a28b5138..6d783d7d5 100644
--- a/lib/krb5/kcm.c
+++ b/lib/krb5/kcm.c
@@ -963,6 +963,7 @@ kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
     krb5_storage *request, *response;
     krb5_data response_data;
     char *name;
+    int aret;
 
     *str = NULL;
 
@@ -981,9 +982,9 @@ kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
     if (ret)
 	return ret;
 
-    asprintf(str, "%s:%s", ops->prefix, name);
+    aret = asprintf(str, "%s:%s", ops->prefix, name);
     free(name);
-    if (str == NULL)
+    if (aret == -1 || str == NULL)
 	return ENOMEM;
 
     return 0;
diff --git a/lib/krb5/keytab_any.c b/lib/krb5/keytab_any.c
index d5ac4883d..a808311b8 100644
--- a/lib/krb5/keytab_any.c
+++ b/lib/krb5/keytab_any.c
@@ -257,5 +257,7 @@ const krb5_kt_ops krb5_any_ops = {
     any_next_entry,
     any_end_seq_get,
     any_add_entry,
-    any_remove_entry
+    any_remove_entry,
+    NULL,
+    0
 };
diff --git a/lib/krb5/keytab_file.c b/lib/krb5/keytab_file.c
index ccaf62fcb..51cdd3178 100644
--- a/lib/krb5/keytab_file.c
+++ b/lib/krb5/keytab_file.c
@@ -776,7 +776,9 @@ const krb5_kt_ops krb5_fkt_ops = {
     fkt_next_entry,
     fkt_end_seq_get,
     fkt_add_entry,
-    fkt_remove_entry
+    fkt_remove_entry,
+    NULL,
+    0
 };
 
 const krb5_kt_ops krb5_wrfkt_ops = {
@@ -790,7 +792,9 @@ const krb5_kt_ops krb5_wrfkt_ops = {
     fkt_next_entry,
     fkt_end_seq_get,
     fkt_add_entry,
-    fkt_remove_entry
+    fkt_remove_entry,
+    NULL,
+    0
 };
 
 const krb5_kt_ops krb5_javakt_ops = {
@@ -804,5 +808,7 @@ const krb5_kt_ops krb5_javakt_ops = {
     fkt_next_entry,
     fkt_end_seq_get,
     fkt_add_entry,
-    fkt_remove_entry
+    fkt_remove_entry,
+    NULL,
+    0
 };
diff --git a/lib/krb5/keytab_keyfile.c b/lib/krb5/keytab_keyfile.c
index 120083215..5c1dbff6e 100644
--- a/lib/krb5/keytab_keyfile.c
+++ b/lib/krb5/keytab_keyfile.c
@@ -462,7 +462,9 @@ const krb5_kt_ops krb5_akf_ops = {
     akf_next_entry,
     akf_end_seq_get,
     akf_add_entry,
-    NULL /* remove */
+    NULL, /* remove */
+    NULL,
+    0
 };
 
 #endif /* HEIMDAL_SMALLER */
diff --git a/lib/krb5/keytab_memory.c b/lib/krb5/keytab_memory.c
index 0ee684d36..c0deeab92 100644
--- a/lib/krb5/keytab_memory.c
+++ b/lib/krb5/keytab_memory.c
@@ -232,5 +232,7 @@ const krb5_kt_ops krb5_mkt_ops = {
     mkt_next_entry,
     mkt_end_seq_get,
     mkt_add_entry,
-    mkt_remove_entry
+    mkt_remove_entry,
+    NULL,
+    0
 };
diff --git a/lib/krb5/n-fold-test.c b/lib/krb5/n-fold-test.c
index 452964522..2938b44b3 100644
--- a/lib/krb5/n-fold-test.c
+++ b/lib/krb5/n-fold-test.c
@@ -87,7 +87,7 @@ static struct testcase {
       0x08, 0xa5, 0x08, 0x41, 0x22, 0x9a, 0xd7, 0x98, 0xfa, 0xb9, 0x54,
       0x0c, 0x1b}
     },
-    {NULL, 0}
+    {NULL, 0, {0}}
 };
 
 int
diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c
index 1103a1780..e34188afa 100644
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -183,10 +183,10 @@ find_cert(krb5_context context, struct krb5_pk_identity *id,
 	  hx509_query *q, hx509_cert *cert)
 {
     struct certfind cf[4] = {
-	{ "MobileMe EKU" },
-	{ "PKINIT EKU" },
-	{ "MS EKU" },
-	{ "any (or no)" }
+	{ "MobileMe EKU", NULL },
+	{ "PKINIT EKU", NULL },
+	{ "MS EKU", NULL },
+	{ "any (or no)", NULL }
     };
     int ret = HX509_CERT_NOT_FOUND;
     size_t i, start = 1;
diff --git a/lib/krb5/replay.c b/lib/krb5/replay.c
index 965dd4443..747552fbd 100644
--- a/lib/krb5/replay.c
+++ b/lib/krb5/replay.c
@@ -205,6 +205,7 @@ krb5_rc_store(krb5_context context,
     time_t t;
     FILE *f;
     int ret;
+    size_t count;
 
     ent.stamp = time(NULL);
     checksum_authenticator(rep, ent.data);
@@ -217,7 +218,9 @@ krb5_rc_store(krb5_context context,
 	return ret;
     }
     rk_cloexec_file(f);
-    fread(&tmp, sizeof(ent), 1, f);
+    count = fread(&tmp, sizeof(ent), 1, f);
+    if(count != 1)
+	return KRB5_RC_IO_UNKNOWN;
     t = ent.stamp - tmp.stamp;
     while(fread(&tmp, sizeof(ent), 1, f)){
 	if(tmp.stamp < t)
diff --git a/lib/krb5/salt-aes.c b/lib/krb5/salt-aes.c
index 32dafd68c..d2076269d 100644
--- a/lib/krb5/salt-aes.c
+++ b/lib/krb5/salt-aes.c
@@ -99,5 +99,5 @@ struct salt_type _krb5_AES_salt[] = {
 	"pw-salt",
 	AES_string_to_key
     },
-    { 0 }
+    { 0, NULL, NULL }
 };
diff --git a/lib/krb5/salt-arcfour.c b/lib/krb5/salt-arcfour.c
index ab5e51270..f8a4b391e 100644
--- a/lib/krb5/salt-arcfour.c
+++ b/lib/krb5/salt-arcfour.c
@@ -108,5 +108,5 @@ struct salt_type _krb5_arcfour_salt[] = {
 	"pw-salt",
 	ARCFOUR_string_to_key
     },
-    { 0 }
+    { 0, NULL, NULL }
 };
diff --git a/lib/krb5/salt-des.c b/lib/krb5/salt-des.c
index 56b285f72..804b3f254 100644
--- a/lib/krb5/salt-des.c
+++ b/lib/krb5/salt-des.c
@@ -219,6 +219,6 @@ struct salt_type _krb5_des_salt[] = {
 	DES_AFS3_string_to_key
     },
 #endif
-    { 0 }
+    { 0, NULL, NULL }
 };
 #endif
diff --git a/lib/krb5/salt-des3.c b/lib/krb5/salt-des3.c
index 79140a274..f2e40f2d5 100644
--- a/lib/krb5/salt-des3.c
+++ b/lib/krb5/salt-des3.c
@@ -136,7 +136,7 @@ struct salt_type _krb5_des3_salt[] = {
 	"pw-salt",
 	DES3_string_to_key
     },
-    { 0 }
+    { 0, NULL, NULL }
 };
 #endif
 
@@ -146,5 +146,5 @@ struct salt_type _krb5_des3_salt_derived[] = {
 	"pw-salt",
 	DES3_string_to_key_derived
     },
-    { 0 }
+    { 0, NULL, NULL }
 };
diff --git a/lib/krb5/scache.c b/lib/krb5/scache.c
index 5c422c6a4..9bdc9d7d0 100644
--- a/lib/krb5/scache.c
+++ b/lib/krb5/scache.c
@@ -1445,7 +1445,10 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops = {
     scc_end_cache_get,
     scc_move,
     scc_get_default_name,
-    scc_set_default
+    scc_set_default,
+    NULL,
+    NULL,
+    NULL
 };
 
 #endif
diff --git a/lib/krb5/string-to-key-test.c b/lib/krb5/string-to-key-test.c
index cb7081b9e..898857591 100644
--- a/lib/krb5/string-to-key-test.c
+++ b/lib/krb5/string-to-key-test.c
@@ -86,7 +86,7 @@ static struct testcase {
      {0x6d, 0x2f, 0xcd, 0xf2, 0xd6, 0xfb, 0xbc, 0x3d, 0xdc, 0xad, 0xb5, 0xda, 0x57, 0x10, 0xa2, 0x34, 0x89, 0xb0, 0xd3, 0xb6, 0x9d, 0x5d, 0x9d, 0x4a}},
     {"Juri\xc5\xa1i\xc4\x87@ATHENA.MIT.EDU", "\xc3\x9f", ETYPE_DES3_CBC_SHA1,
      {0x16, 0xd5, 0xa4, 0x0e, 0x1c, 0xe3, 0xba, 0xcb, 0x61, 0xb9, 0xdc, 0xe0, 0x04, 0x70, 0x32, 0x4c, 0x83, 0x19, 0x73, 0xa7, 0xb9, 0x52, 0xfe, 0xb0}},
-    {NULL}
+    {NULL, NULL, 0, {0}}
 };
 
 int
diff --git a/lib/krb5/test_cc.c b/lib/krb5/test_cc.c
index 911fba524..c8290b6aa 100644
--- a/lib/krb5/test_cc.c
+++ b/lib/krb5/test_cc.c
@@ -293,31 +293,31 @@ struct {
 } cc_names[] = {
     { "foo", 0, "foo" },
     { "foo%}", 0, "foo%}" },
-    { "%{uid}", 0 },
+    { "%{uid}", 0, NULL },
     { "foo%{null}", 0, "foo" },
     { "foo%{null}bar", 0, "foobar" },
-    { "%{", 1 },
-    { "%{foo %{", 1 },
-    { "%{{", 1 },
-    { "%{{}", 1 },
-    { "%{nulll}", 1 },
-    { "%{does not exist}", 1 },
-    { "%{}", 1 },
+    { "%{", 1, NULL },
+    { "%{foo %{", 1, NULL },
+    { "%{{", 1, NULL },
+    { "%{{}", 1, NULL },
+    { "%{nulll}", 1, NULL },
+    { "%{does not exist}", 1, NULL },
+    { "%{}", 1, NULL },
 #ifdef KRB5_USE_PATH_TOKENS
-    { "%{APPDATA}", 0 },
-    { "%{COMMON_APPDATA}", 0},
-    { "%{LOCAL_APPDATA}", 0},
-    { "%{SYSTEM}", 0},
-    { "%{WINDOWS}", 0},
-    { "%{TEMP}", 0},
-    { "%{USERID}", 0},
-    { "%{uid}", 0},
-    { "%{USERCONFIG}", 0},
-    { "%{COMMONCONFIG}", 0},
-    { "%{LIBDIR}", 0},
-    { "%{BINDIR}", 0},
-    { "%{LIBEXEC}", 0},
-    { "%{SBINDIR}", 0},
+    { "%{APPDATA}", 0, NULL },
+    { "%{COMMON_APPDATA}", 0, NULL},
+    { "%{LOCAL_APPDATA}", 0, NULL},
+    { "%{SYSTEM}", 0, NULL},
+    { "%{WINDOWS}", 0, NULL},
+    { "%{TEMP}", 0, NULL},
+    { "%{USERID}", 0, NULL},
+    { "%{uid}", 0, NULL},
+    { "%{USERCONFIG}", 0, NULL},
+    { "%{COMMONCONFIG}", 0, NULL},
+    { "%{LIBDIR}", 0, NULL},
+    { "%{BINDIR}", 0, NULL},
+    { "%{LIBEXEC}", 0, NULL},
+    { "%{SBINDIR}", 0, NULL},
 #endif
 };
 
diff --git a/lib/krb5/verify_krb5_conf.c b/lib/krb5/verify_krb5_conf.c
index 647a311a2..897cc2da7 100644
--- a/lib/krb5/verify_krb5_conf.c
+++ b/lib/krb5/verify_krb5_conf.c
@@ -353,227 +353,227 @@ struct entry {
 };
 
 struct entry all_strings[] = {
-    { "", krb5_config_string, NULL },
-    { NULL }
+    { "", krb5_config_string, NULL, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 struct entry all_boolean[] = {
-    { "", krb5_config_string, check_boolean },
-    { NULL }
+    { "", krb5_config_string, check_boolean, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 
 struct entry v4_name_convert_entries[] = {
-    { "host", krb5_config_list, all_strings },
-    { "plain", krb5_config_list, all_strings },
-    { NULL }
+    { "host", krb5_config_list, all_strings, 0 },
+    { "plain", krb5_config_list, all_strings, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 struct entry libdefaults_entries[] = {
-    { "accept_null_addresses", krb5_config_string, check_boolean },
-    { "allow_weak_crypto", krb5_config_string, check_boolean },
+    { "accept_null_addresses", krb5_config_string, check_boolean, 0 },
+    { "allow_weak_crypto", krb5_config_string, check_boolean, 0 },
     { "capath", krb5_config_list, all_strings, 1 },
-    { "check_pac", krb5_config_string, check_boolean },
-    { "clockskew", krb5_config_string, check_time },
-    { "date_format", krb5_config_string, NULL },
-    { "default_cc_name", krb5_config_string, NULL },
-    { "default_etypes", krb5_config_string, NULL },
-    { "default_etypes_des", krb5_config_string, NULL },
-    { "default_keytab_modify_name", krb5_config_string, NULL },
-    { "default_keytab_name", krb5_config_string, NULL },
-    { "default_realm", krb5_config_string, NULL },
-    { "dns_canonize_hostname", krb5_config_string, check_boolean },
-    { "dns_proxy", krb5_config_string, NULL },
-    { "dns_lookup_kdc", krb5_config_string, check_boolean },
-    { "dns_lookup_realm", krb5_config_string, check_boolean },
-    { "dns_lookup_realm_labels", krb5_config_string, NULL },
-    { "egd_socket", krb5_config_string, NULL },
-    { "encrypt", krb5_config_string, check_boolean },
-    { "extra_addresses", krb5_config_string, NULL },
-    { "fcache_version", krb5_config_string, check_numeric },
-    { "fcc-mit-ticketflags", krb5_config_string, check_boolean },
-    { "forward", krb5_config_string, check_boolean },
-    { "forwardable", krb5_config_string, check_boolean },
-    { "http_proxy", krb5_config_string, check_host /* XXX */ },
-    { "ignore_addresses", krb5_config_string, NULL },
-    { "kdc_timeout", krb5_config_string, check_time },
-    { "kdc_timesync", krb5_config_string, check_boolean },
-    { "log_utc", krb5_config_string, check_boolean },
-    { "maxretries", krb5_config_string, check_numeric },
-    { "scan_interfaces", krb5_config_string, check_boolean },
-    { "srv_lookup", krb5_config_string, check_boolean },
-    { "srv_try_txt", krb5_config_string, check_boolean },
-    { "ticket_lifetime", krb5_config_string, check_time },
-    { "time_format", krb5_config_string, NULL },
-    { "transited_realms_reject", krb5_config_string, NULL },
-    { "no-addresses", krb5_config_string, check_boolean },
-    { "v4_instance_resolve", krb5_config_string, check_boolean },
-    { "v4_name_convert", krb5_config_list, v4_name_convert_entries },
-    { "verify_ap_req_nofail", krb5_config_string, check_boolean },
-    { "max_retries", krb5_config_string, check_time },
-    { "renew_lifetime", krb5_config_string, check_time },
-    { "proxiable", krb5_config_string, check_boolean },
-    { "warn_pwexpire", krb5_config_string, check_time },
+    { "check_pac", krb5_config_string, check_boolean, 0 },
+    { "clockskew", krb5_config_string, check_time, 0 },
+    { "date_format", krb5_config_string, NULL, 0 },
+    { "default_cc_name", krb5_config_string, NULL, 0 },
+    { "default_etypes", krb5_config_string, NULL, 0 },
+    { "default_etypes_des", krb5_config_string, NULL, 0 },
+    { "default_keytab_modify_name", krb5_config_string, NULL, 0 },
+    { "default_keytab_name", krb5_config_string, NULL, 0 },
+    { "default_realm", krb5_config_string, NULL, 0 },
+    { "dns_canonize_hostname", krb5_config_string, check_boolean, 0 },
+    { "dns_proxy", krb5_config_string, NULL, 0 },
+    { "dns_lookup_kdc", krb5_config_string, check_boolean, 0 },
+    { "dns_lookup_realm", krb5_config_string, check_boolean, 0 },
+    { "dns_lookup_realm_labels", krb5_config_string, NULL, 0 },
+    { "egd_socket", krb5_config_string, NULL, 0 },
+    { "encrypt", krb5_config_string, check_boolean, 0 },
+    { "extra_addresses", krb5_config_string, NULL, 0 },
+    { "fcache_version", krb5_config_string, check_numeric, 0 },
+    { "fcc-mit-ticketflags", krb5_config_string, check_boolean, 0 },
+    { "forward", krb5_config_string, check_boolean, 0 },
+    { "forwardable", krb5_config_string, check_boolean, 0 },
+    { "http_proxy", krb5_config_string, check_host /* XXX */, 0 },
+    { "ignore_addresses", krb5_config_string, NULL, 0 },
+    { "kdc_timeout", krb5_config_string, check_time, 0 },
+    { "kdc_timesync", krb5_config_string, check_boolean, 0 },
+    { "log_utc", krb5_config_string, check_boolean, 0 },
+    { "maxretries", krb5_config_string, check_numeric, 0 },
+    { "scan_interfaces", krb5_config_string, check_boolean, 0 },
+    { "srv_lookup", krb5_config_string, check_boolean, 0 },
+    { "srv_try_txt", krb5_config_string, check_boolean, 0 },
+    { "ticket_lifetime", krb5_config_string, check_time, 0 },
+    { "time_format", krb5_config_string, NULL, 0 },
+    { "transited_realms_reject", krb5_config_string, NULL, 0 },
+    { "no-addresses", krb5_config_string, check_boolean, 0 },
+    { "v4_instance_resolve", krb5_config_string, check_boolean, 0 },
+    { "v4_name_convert", krb5_config_list, v4_name_convert_entries, 0 },
+    { "verify_ap_req_nofail", krb5_config_string, check_boolean, 0 },
+    { "max_retries", krb5_config_string, check_time, 0 },
+    { "renew_lifetime", krb5_config_string, check_time, 0 },
+    { "proxiable", krb5_config_string, check_boolean, 0 },
+    { "warn_pwexpire", krb5_config_string, check_time, 0 },
     /* MIT stuff */
-    { "permitted_enctypes", krb5_config_string, mit_entry },
-    { "default_tgs_enctypes", krb5_config_string, mit_entry },
-    { "default_tkt_enctypes", krb5_config_string, mit_entry },
-    { NULL }
+    { "permitted_enctypes", krb5_config_string, mit_entry, 0 },
+    { "default_tgs_enctypes", krb5_config_string, mit_entry, 0 },
+    { "default_tkt_enctypes", krb5_config_string, mit_entry, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 struct entry appdefaults_entries[] = {
-    { "afslog", krb5_config_string, check_boolean },
-    { "afs-use-524", krb5_config_string, check_524 },
-    { "encrypt", krb5_config_string, check_boolean },
-    { "forward", krb5_config_string, check_boolean },
-    { "forwardable", krb5_config_string, check_boolean },
-    { "proxiable", krb5_config_string, check_boolean },
-    { "ticket_lifetime", krb5_config_string, check_time },
-    { "renew_lifetime", krb5_config_string, check_time },
-    { "no-addresses", krb5_config_string, check_boolean },
-    { "krb4_get_tickets", krb5_config_string, check_boolean },
-    { "pkinit_anchors", krb5_config_string, NULL },
-    { "pkinit_win2k", krb5_config_string, NULL },
-    { "pkinit_win2k_require_binding", krb5_config_string, NULL },
-    { "pkinit_require_eku", krb5_config_string, NULL },
-    { "pkinit_require_krbtgt_otherName", krb5_config_string, NULL },
-    { "pkinit_require_hostname_match", krb5_config_string, NULL },
+    { "afslog", krb5_config_string, check_boolean, 0 },
+    { "afs-use-524", krb5_config_string, check_524, 0 },
+    { "encrypt", krb5_config_string, check_boolean, 0 },
+    { "forward", krb5_config_string, check_boolean, 0 },
+    { "forwardable", krb5_config_string, check_boolean, 0 },
+    { "proxiable", krb5_config_string, check_boolean, 0 },
+    { "ticket_lifetime", krb5_config_string, check_time, 0 },
+    { "renew_lifetime", krb5_config_string, check_time, 0 },
+    { "no-addresses", krb5_config_string, check_boolean, 0 },
+    { "krb4_get_tickets", krb5_config_string, check_boolean, 0 },
+    { "pkinit_anchors", krb5_config_string, NULL, 0 },
+    { "pkinit_win2k", krb5_config_string, NULL, 0 },
+    { "pkinit_win2k_require_binding", krb5_config_string, NULL, 0 },
+    { "pkinit_require_eku", krb5_config_string, NULL, 0 },
+    { "pkinit_require_krbtgt_otherName", krb5_config_string, NULL, 0 },
+    { "pkinit_require_hostname_match", krb5_config_string, NULL, 0 },
 #if 0
-    { "anonymous", krb5_config_string, check_boolean },
+    { "anonymous", krb5_config_string, check_boolean, 0 },
 #endif
-    { "", krb5_config_list, appdefaults_entries },
-    { NULL }
+    { "", krb5_config_list, appdefaults_entries, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 struct entry realms_entries[] = {
-    { "forwardable", krb5_config_string, check_boolean },
-    { "proxiable", krb5_config_string, check_boolean },
-    { "ticket_lifetime", krb5_config_string, check_time },
-    { "renew_lifetime", krb5_config_string, check_time },
-    { "warn_pwexpire", krb5_config_string, check_time },
-    { "kdc", krb5_config_string, check_host },
-    { "admin_server", krb5_config_string, check_host },
-    { "kpasswd_server", krb5_config_string, check_host },
-    { "krb524_server", krb5_config_string, check_host },
-    { "v4_name_convert", krb5_config_list, v4_name_convert_entries },
-    { "v4_instance_convert", krb5_config_list, all_strings },
-    { "v4_domains", krb5_config_string, NULL },
-    { "default_domain", krb5_config_string, NULL },
-    { "win2k_pkinit", krb5_config_string, NULL },
+    { "forwardable", krb5_config_string, check_boolean, 0 },
+    { "proxiable", krb5_config_string, check_boolean, 0 },
+    { "ticket_lifetime", krb5_config_string, check_time, 0 },
+    { "renew_lifetime", krb5_config_string, check_time, 0 },
+    { "warn_pwexpire", krb5_config_string, check_time, 0 },
+    { "kdc", krb5_config_string, check_host, 0 },
+    { "admin_server", krb5_config_string, check_host, 0 },
+    { "kpasswd_server", krb5_config_string, check_host, 0 },
+    { "krb524_server", krb5_config_string, check_host, 0 },
+    { "v4_name_convert", krb5_config_list, v4_name_convert_entries, 0 },
+    { "v4_instance_convert", krb5_config_list, all_strings, 0 },
+    { "v4_domains", krb5_config_string, NULL, 0 },
+    { "default_domain", krb5_config_string, NULL, 0 },
+    { "win2k_pkinit", krb5_config_string, NULL, 0 },
     /* MIT stuff */
-    { "admin_keytab", krb5_config_string, mit_entry },
-    { "acl_file", krb5_config_string, mit_entry },
-    { "dict_file", krb5_config_string, mit_entry },
-    { "kadmind_port", krb5_config_string, mit_entry },
-    { "kpasswd_port", krb5_config_string, mit_entry },
-    { "master_key_name", krb5_config_string, mit_entry },
-    { "master_key_type", krb5_config_string, mit_entry },
-    { "key_stash_file", krb5_config_string, mit_entry },
-    { "max_life", krb5_config_string, mit_entry },
-    { "max_renewable_life", krb5_config_string, mit_entry },
-    { "default_principal_expiration", krb5_config_string, mit_entry },
-    { "default_principal_flags", krb5_config_string, mit_entry },
-    { "supported_enctypes", krb5_config_string, mit_entry },
-    { "database_name", krb5_config_string, mit_entry },
-    { NULL }
+    { "admin_keytab", krb5_config_string, mit_entry, 0 },
+    { "acl_file", krb5_config_string, mit_entry, 0 },
+    { "dict_file", krb5_config_string, mit_entry, 0 },
+    { "kadmind_port", krb5_config_string, mit_entry, 0 },
+    { "kpasswd_port", krb5_config_string, mit_entry, 0 },
+    { "master_key_name", krb5_config_string, mit_entry, 0 },
+    { "master_key_type", krb5_config_string, mit_entry, 0 },
+    { "key_stash_file", krb5_config_string, mit_entry, 0 },
+    { "max_life", krb5_config_string, mit_entry, 0 },
+    { "max_renewable_life", krb5_config_string, mit_entry, 0 },
+    { "default_principal_expiration", krb5_config_string, mit_entry, 0 },
+    { "default_principal_flags", krb5_config_string, mit_entry, 0 },
+    { "supported_enctypes", krb5_config_string, mit_entry, 0 },
+    { "database_name", krb5_config_string, mit_entry, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 struct entry realms_foobar[] = {
-    { "", krb5_config_list, realms_entries },
-    { NULL }
+    { "", krb5_config_list, realms_entries, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 
 struct entry kdc_database_entries[] = {
-    { "realm", krb5_config_string, NULL },
-    { "dbname", krb5_config_string, NULL },
-    { "mkey_file", krb5_config_string, NULL },
-    { "acl_file", krb5_config_string, NULL },
-    { "log_file", krb5_config_string, NULL },
-    { NULL }
+    { "realm", krb5_config_string, NULL, 0 },
+    { "dbname", krb5_config_string, NULL, 0 },
+    { "mkey_file", krb5_config_string, NULL, 0 },
+    { "acl_file", krb5_config_string, NULL, 0 },
+    { "log_file", krb5_config_string, NULL, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 struct entry kdc_entries[] = {
-    { "database", krb5_config_list, kdc_database_entries },
-    { "key-file", krb5_config_string, NULL },
-    { "logging", krb5_config_string, check_log },
-    { "max-request", krb5_config_string, check_bytes },
-    { "require-preauth", krb5_config_string, check_boolean },
-    { "ports", krb5_config_string, NULL },
-    { "addresses", krb5_config_string, NULL },
-    { "enable-kerberos4", krb5_config_string, check_boolean },
-    { "enable-524", krb5_config_string, check_boolean },
-    { "enable-http", krb5_config_string, check_boolean },
-    { "check-ticket-addresses", krb5_config_string, check_boolean },
-    { "allow-null-ticket-addresses", krb5_config_string, check_boolean },
-    { "allow-anonymous", krb5_config_string, check_boolean },
-    { "v4_realm", krb5_config_string, NULL },
+    { "database", krb5_config_list, kdc_database_entries, 0 },
+    { "key-file", krb5_config_string, NULL, 0 },
+    { "logging", krb5_config_string, check_log, 0 },
+    { "max-request", krb5_config_string, check_bytes, 0 },
+    { "require-preauth", krb5_config_string, check_boolean, 0 },
+    { "ports", krb5_config_string, NULL, 0 },
+    { "addresses", krb5_config_string, NULL, 0 },
+    { "enable-kerberos4", krb5_config_string, check_boolean, 0 },
+    { "enable-524", krb5_config_string, check_boolean, 0 },
+    { "enable-http", krb5_config_string, check_boolean, 0 },
+    { "check-ticket-addresses", krb5_config_string, check_boolean, 0 },
+    { "allow-null-ticket-addresses", krb5_config_string, check_boolean, 0 },
+    { "allow-anonymous", krb5_config_string, check_boolean, 0 },
+    { "v4_realm", krb5_config_string, NULL, 0 },
     { "enable-kaserver", krb5_config_string, check_boolean, 1 },
-    { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean },
-    { "kdc_warn_pwexpire", krb5_config_string, check_time },
-    { "use_2b", krb5_config_list, NULL },
-    { "enable-pkinit", krb5_config_string, check_boolean },
-    { "pkinit_identity", krb5_config_string, NULL },
-    { "pkinit_anchors", krb5_config_string, NULL },
-    { "pkinit_pool", krb5_config_string, NULL },
-    { "pkinit_revoke", krb5_config_string, NULL },
-    { "pkinit_kdc_ocsp", krb5_config_string, NULL },
-    { "pkinit_principal_in_certificate", krb5_config_string, NULL },
-    { "pkinit_dh_min_bits", krb5_config_string, NULL },
-    { "pkinit_allow_proxy_certificate", krb5_config_string, NULL },
-    { "hdb-ldap-create-base", krb5_config_string, NULL },
-    { "v4-realm", krb5_config_string, NULL },
-    { NULL }
+    { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean, 0 },
+    { "kdc_warn_pwexpire", krb5_config_string, check_time, 0 },
+    { "use_2b", krb5_config_list, NULL, 0 },
+    { "enable-pkinit", krb5_config_string, check_boolean, 0 },
+    { "pkinit_identity", krb5_config_string, NULL, 0 },
+    { "pkinit_anchors", krb5_config_string, NULL, 0 },
+    { "pkinit_pool", krb5_config_string, NULL, 0 },
+    { "pkinit_revoke", krb5_config_string, NULL, 0 },
+    { "pkinit_kdc_ocsp", krb5_config_string, NULL, 0 },
+    { "pkinit_principal_in_certificate", krb5_config_string, NULL, 0 },
+    { "pkinit_dh_min_bits", krb5_config_string, NULL, 0 },
+    { "pkinit_allow_proxy_certificate", krb5_config_string, NULL, 0 },
+    { "hdb-ldap-create-base", krb5_config_string, NULL, 0 },
+    { "v4-realm", krb5_config_string, NULL, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 struct entry kadmin_entries[] = {
-    { "password_lifetime", krb5_config_string, check_time },
-    { "default_keys", krb5_config_string, NULL },
-    { "use_v4_salt", krb5_config_string, NULL },
-    { "require-preauth", krb5_config_string, check_boolean },
-    { NULL }
+    { "password_lifetime", krb5_config_string, check_time, 0 },
+    { "default_keys", krb5_config_string, NULL, 0 },
+    { "use_v4_salt", krb5_config_string, NULL, 0 },
+    { "require-preauth", krb5_config_string, check_boolean, 0 },
+    { NULL, 0, NULL, 0 }
 };
 struct entry log_strings[] = {
-    { "", krb5_config_string, check_log },
-    { NULL }
+    { "", krb5_config_string, check_log, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 
 /* MIT stuff */
 struct entry kdcdefaults_entries[] = {
-    { "kdc_ports", krb5_config_string, mit_entry },
-    { "v4_mode", krb5_config_string, mit_entry },
-    { NULL }
+    { "kdc_ports", krb5_config_string, mit_entry, 0 },
+    { "v4_mode", krb5_config_string, mit_entry, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 struct entry capaths_entries[] = {
-    { "", krb5_config_list, all_strings },
-    { NULL }
+    { "", krb5_config_list, all_strings, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 struct entry password_quality_entries[] = {
-    { "policies", krb5_config_string, NULL },
-    { "external_program", krb5_config_string, NULL },
-    { "min_classes", krb5_config_string, check_numeric },
-    { "min_length", krb5_config_string, check_numeric },
-    { "", krb5_config_list, all_strings },
-    { NULL }
+    { "policies", krb5_config_string, NULL, 0 },
+    { "external_program", krb5_config_string, NULL, 0 },
+    { "min_classes", krb5_config_string, check_numeric, 0 },
+    { "min_length", krb5_config_string, check_numeric, 0 },
+    { "", krb5_config_list, all_strings, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 struct entry toplevel_sections[] = {
-    { "libdefaults" , krb5_config_list, libdefaults_entries },
-    { "realms", krb5_config_list, realms_foobar },
-    { "domain_realm", krb5_config_list, all_strings },
-    { "logging", krb5_config_list, log_strings },
-    { "kdc", krb5_config_list, kdc_entries },
-    { "kadmin", krb5_config_list, kadmin_entries },
-    { "appdefaults", krb5_config_list, appdefaults_entries },
-    { "gssapi", krb5_config_list, NULL },
-    { "capaths", krb5_config_list, capaths_entries },
-    { "password_quality", krb5_config_list, password_quality_entries },
+    { "libdefaults" , krb5_config_list, libdefaults_entries, 0 },
+    { "realms", krb5_config_list, realms_foobar, 0 },
+    { "domain_realm", krb5_config_list, all_strings, 0 },
+    { "logging", krb5_config_list, log_strings, 0 },
+    { "kdc", krb5_config_list, kdc_entries, 0 },
+    { "kadmin", krb5_config_list, kadmin_entries, 0 },
+    { "appdefaults", krb5_config_list, appdefaults_entries, 0 },
+    { "gssapi", krb5_config_list, NULL, 0 },
+    { "capaths", krb5_config_list, capaths_entries, 0 },
+    { "password_quality", krb5_config_list, password_quality_entries, 0 },
     /* MIT stuff */
-    { "kdcdefaults", krb5_config_list, kdcdefaults_entries },
-    { NULL }
+    { "kdcdefaults", krb5_config_list, kdcdefaults_entries, 0 },
+    { NULL, 0, NULL, 0 }
 };
 
 
diff --git a/lib/otp/otptest.c b/lib/otp/otptest.c
index 869f87421..dbf213168 100644
--- a/lib/otp/otptest.c
+++ b/lib/otp/otptest.c
@@ -107,7 +107,7 @@ test (void)
     {"sha", "OTP's are good", "correct", 0, "d51f3e99bf8e6f0b", "RUST WELT KICK FELL TAIL FRAU"},
     {"sha", "OTP's are good", "correct", 1, "82aeb52d943774e4", "FLIT DOSE ALSO MEW DRUM DEFY"},
     {"sha", "OTP's are good", "correct", 99, "4f296a74fe1567ec", "AURA ALOE HURL WING BERG WAIT"},
-    {NULL}
+    {NULL, NULL, NULL, 0, NULL, NULL}
   };
 
   struct test *t;
diff --git a/lib/roken/base64-test.c b/lib/roken/base64-test.c
index e9a2835e8..146e97e24 100644
--- a/lib/roken/base64-test.c
+++ b/lib/roken/base64-test.c
@@ -53,7 +53,7 @@ main(int argc, char **argv)
 	{ "4444", 4, "NDQ0NA==" },
 	{ "55555", 5, "NTU1NTU=" },
 	{ "abc:def", 7, "YWJjOmRlZg==" },
-	{ NULL }
+	{ NULL, 0, NULL }
     };
     for(t = tests; t->data; t++) {
 	char *str;
diff --git a/lib/roken/hex-test.c b/lib/roken/hex-test.c
index 9a3d10f28..a81422e1f 100644
--- a/lib/roken/hex-test.c
+++ b/lib/roken/hex-test.c
@@ -55,7 +55,7 @@ main(int argc, char **argv)
 	{ "abcdef", 6, "616263646566" },
 	{ "abcdefg", 7, "61626364656667" },
 	{ "=", 1, "3D" },
-	{ NULL }
+	{ NULL, 0, NULL }
     };
     for(t = tests; t->data; t++) {
 	char *str;
diff --git a/lib/roken/rkpty.c b/lib/roken/rkpty.c
index f2c62f23f..bd955e71f 100644
--- a/lib/roken/rkpty.c
+++ b/lib/roken/rkpty.c
@@ -305,9 +305,9 @@ eval_parent(pid_t pid)
 
 static struct getargs args[] = {
     { "timeout", 	't', arg_integer, &timeout, "timout", "seconds" },
-    { "verbose", 	'v', arg_counter, &verbose, "verbose debugging" },
-    { "version",	0, arg_flag,	&version_flag, "print version" },
-    { "help",		0, arg_flag,	&help_flag, NULL }
+    { "verbose", 	'v', arg_counter, &verbose, "verbose debugging", NULL },
+    { "version",	0, arg_flag,	&version_flag, "print version", NULL },
+    { "help",		0, arg_flag,	&help_flag, NULL, NULL }
 };
 
 static void
diff --git a/lib/roken/roken_gethostby.c b/lib/roken/roken_gethostby.c
index 1bb560d3b..a2dda7e05 100644
--- a/lib/roken/roken_gethostby.c
+++ b/lib/roken/roken_gethostby.c
@@ -77,7 +77,8 @@ setup_int(const char *proxy_host, short proxy_port,
 	if(make_address(dns_host, &dns_addr.sin_addr) != 0)
 	    return -1;
 	dns_addr.sin_port = htons(dns_port);
-	asprintf(&dns_req, "%s", dns_path);
+	if (asprintf(&dns_req, "%s", dns_path) < 0)
+	    return -1;
     }
     dns_addr.sin_family = AF_INET;
     return 0;
diff --git a/lib/roken/simple_exec.c b/lib/roken/simple_exec.c
index 97679d7e4..552e121b0 100644
--- a/lib/roken/simple_exec.c
+++ b/lib/roken/simple_exec.c
@@ -144,17 +144,31 @@ ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
 pipe_execv(FILE **stdin_fd, FILE **stdout_fd, FILE **stderr_fd,
 	   const char *file, ...)
 {
-    int in_fd[2], out_fd[2], err_fd[2];
+    int in_fd[2] = {-1, -1};
+    int out_fd[2] = {-1, -1};
+    int err_fd[2] = {-1, -1};
     pid_t pid;
     va_list ap;
     char **argv;
+    int ret = 0;
 
     if(stdin_fd != NULL)
-	pipe(in_fd);
-    if(stdout_fd != NULL)
-	pipe(out_fd);
-    if(stderr_fd != NULL)
-	pipe(err_fd);
+	ret = pipe(in_fd);
+    if(ret != -1 && stdout_fd != NULL)
+	ret = pipe(out_fd);
+    if(ret != -1 && stderr_fd != NULL)
+	ret = pipe(err_fd);
+
+    if (ret == -1) {
+	close(in_fd[0]);
+	close(in_fd[1]);
+	close(out_fd[0]);
+	close(out_fd[1]);
+	close(err_fd[0]);
+	close(err_fd[1]);
+	return SE_E_UNSPECIFIED;
+    }
+
     pid = fork();
     switch(pid) {
     case 0:
diff --git a/lib/roken/test-mem.c b/lib/roken/test-mem.c
index 2ce961e06..5ae10172a 100644
--- a/lib/roken/test-mem.c
+++ b/lib/roken/test-mem.c
@@ -70,13 +70,16 @@ static RETSIGTYPE
 segv_handler(int sig)
 {
     int fd;
+    ssize_t ret;
     char msg[] = "SIGSEGV i current test: ";
 
     fd = open("/dev/stdout", O_WRONLY, 0600);
     if (fd >= 0) {
-	(void)write(fd, msg, sizeof(msg) - 1);
-	(void)write(fd, testname, strlen(testname));
-	(void)write(fd, "\n", 1);
+	ret = write(fd, msg, sizeof(msg) - 1);
+	if (ret != -1)
+	    ret = write(fd, testname, strlen(testname));
+	if (ret != -1)
+	    ret = write(fd, "\n", 1);
 	close(fd);
     }
     _exit(1);
diff --git a/lib/sl/slc-gram.y b/lib/sl/slc-gram.y
index 530b1a344..93bb4056a 100644
--- a/lib/sl/slc-gram.y
+++ b/lib/sl/slc-gram.y
@@ -341,7 +341,7 @@ gen_command(struct assignment *as)
     fprintf(cfile, " },\n");
     for(a = a->next; a != NULL; a = a->next)
 	if(strcmp(a->name, "name") == 0)
-	    cprint(1, "    { \"%s\" },\n", a->u.value);
+	    cprint(1, "    { \"%s\", NULL, NULL, NULL },\n", a->u.value);
     cprint(0, "\n");
 }
 
@@ -360,6 +360,7 @@ make_name(struct assignment *as)
     struct assignment *lopt;
     struct assignment *type;
     char *s;
+    int ret;
 
     lopt = find(as, "long");
     if(lopt == NULL)
@@ -369,9 +370,11 @@ make_name(struct assignment *as)
 
     type = find(as, "type");
     if(strcmp(type->u.value, "-flag") == 0)
-	asprintf(&s, "%s_flag", lopt->u.value);
+	ret = asprintf(&s, "%s_flag", lopt->u.value);
     else
-	asprintf(&s, "%s_%s", lopt->u.value, type->u.value);
+	ret = asprintf(&s, "%s_%s", lopt->u.value, type->u.value);
+    if (ret == -1)
+	return NULL;
     gen_name(s);
     return s;
 }
@@ -446,7 +449,7 @@ struct type_handler {
 	  defval_neg_flag,
 	  NULL
 	},
-	{ NULL }
+	{ NULL, NULL, NULL, NULL, NULL }
 };
 
 static struct type_handler *find_handler(struct assignment *type)
@@ -710,7 +713,7 @@ gen(struct assignment *as)
     cprint(0, "SL_cmd commands[] = {\n");
     for(a = as; a != NULL; a = a->next)
 	gen_command(a->u.assignment);
-    cprint(1, "{ NULL }\n");
+    cprint(1, "{ NULL, NULL, NULL, NULL }\n");
     cprint(0, "};\n");
 
     hprint(0, "extern SL_cmd commands[];\n");
@@ -719,8 +722,8 @@ gen(struct assignment *as)
 int version_flag;
 int help_flag;
 struct getargs args[] = {
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);
 
diff --git a/lib/wind/bidi.c b/lib/wind/bidi.c
index 022a2a17c..7fdbc2acf 100644
--- a/lib/wind/bidi.c
+++ b/lib/wind/bidi.c
@@ -51,7 +51,7 @@ range_entry_cmp(const void *a, const void *b)
 static int
 is_ral(uint32_t cp)
 {
-    struct range_entry ee = {cp};
+    struct range_entry ee = {cp, 0};
     void *s = bsearch(&ee, _wind_ral_table, _wind_ral_table_size,
 		      sizeof(_wind_ral_table[0]),
 		      range_entry_cmp);
@@ -61,7 +61,7 @@ is_ral(uint32_t cp)
 static int
 is_l(uint32_t cp)
 {
-    struct range_entry ee = {cp};
+    struct range_entry ee = {cp, 0};
     void *s = bsearch(&ee, _wind_l_table, _wind_l_table_size,
 		      sizeof(_wind_l_table[0]),
 		      range_entry_cmp);
diff --git a/lib/wind/combining.c b/lib/wind/combining.c
index 22fbf3835..764acc321 100644
--- a/lib/wind/combining.c
+++ b/lib/wind/combining.c
@@ -49,7 +49,7 @@ translation_cmp(const void *key, const void *data)
 int
 _wind_combining_class(uint32_t code_point)
 {
-    struct translation ts = {code_point};
+    struct translation ts = {code_point, 0};
     void *s = bsearch(&ts, _wind_combining_table, _wind_combining_table_size,
 		      sizeof(_wind_combining_table[0]),
 		      translation_cmp);
diff --git a/lib/wind/errorlist.c b/lib/wind/errorlist.c
index c2907832a..8a9d4a549 100644
--- a/lib/wind/errorlist.c
+++ b/lib/wind/errorlist.c
@@ -51,7 +51,7 @@ error_entry_cmp(const void *a, const void *b)
 int
 _wind_stringprep_error(const uint32_t cp, wind_profile_flags flags)
 {
-    struct error_entry ee = {cp};
+    struct error_entry ee = {cp, 0, 0};
     const struct error_entry *s;
 
     s = (const struct error_entry *)
diff --git a/lib/wind/map.c b/lib/wind/map.c
index 03f00de25..2485d396a 100644
--- a/lib/wind/map.c
+++ b/lib/wind/map.c
@@ -58,7 +58,7 @@ _wind_stringprep_map(const uint32_t *in, size_t in_len,
     unsigned o = 0;
 
     for (i = 0; i < in_len; ++i) {
-	struct translation ts = {in[i]};
+	struct translation ts = {in[i], 0, 0, 0};
 	const struct translation *s;
 
 	s = (const struct translation *)
diff --git a/lib/wind/normalize.c b/lib/wind/normalize.c
index 15274f685..20e8a4a04 100644
--- a/lib/wind/normalize.c
+++ b/lib/wind/normalize.c
@@ -127,7 +127,7 @@ compat_decomp(const uint32_t *in, size_t in_len,
     unsigned o = 0;
 
     for (i = 0; i < in_len; ++i) {
-	struct translation ts = {in[i]};
+	struct translation ts = {in[i], 0, 0};
 	size_t sub_len = *out_len - o;
 	int ret;
 
diff --git a/lib/wind/test-normalize.c b/lib/wind/test-normalize.c
index 16c808139..3e13aeec9 100644
--- a/lib/wind/test-normalize.c
+++ b/lib/wind/test-normalize.c
@@ -47,7 +47,7 @@
 static size_t
 parse_vector(char *buf, uint32_t *v)
 {
-    char *last;
+    char *last = NULL;
     unsigned ret = 0;
     const char *n;
     unsigned u;
diff --git a/lib/wind/test-utf8.c b/lib/wind/test-utf8.c
index d85df286e..0b95032ff 100644
--- a/lib/wind/test-utf8.c
+++ b/lib/wind/test-utf8.c
@@ -78,24 +78,24 @@ struct testcase {
 };
 
 static const struct testcase testcases[] = {
-    {"", 0, {0}},
-    {"\x01", 1, {1}},
-    {"\x7F", 1, {0x7F}},
-    {"\x01\x7F", 2, {0x01, 0x7F}},
-    {"\xC0\x80", 1, {0}},
-    {"\xC0\x81", 1, {1}},
-    {"\xC1\x80", 1, {0x40}},
-    {"\xDF\xBF", 1, {0x7FF}},
-    {"\xE0\x80\x80", 1, {0}},
-    {"\xE0\x80\x81", 1, {1}},
-    {"\xE0\x81\x80", 1, {0x40}},
-    {"\xE1\x80\x80", 1, {0x1000}},
-    {"\xEF\xBF\xBF", 1, {0xFFFF}},
-    {"\xF0\x80\x80\x80", 1, {0}},
-    {"\xF0\x80\x80\x81", 1, {1}},
-    {"\xF0\x80\x81\x80", 1, {0x40}},
-    {"\xF0\x81\x80\x80", 1, {0x1000}},
-    {"\xF1\x80\x80\x80", 1, {0x40000}},
+    {"", 0, {0}, 0},
+    {"\x01", 1, {1}, 0},
+    {"\x7F", 1, {0x7F}, 0},
+    {"\x01\x7F", 2, {0x01, 0x7F}, 0},
+    {"\xC0\x80", 1, {0}, 0},
+    {"\xC0\x81", 1, {1}, 0},
+    {"\xC1\x80", 1, {0x40}, 0},
+    {"\xDF\xBF", 1, {0x7FF}, 0},
+    {"\xE0\x80\x80", 1, {0}, 0},
+    {"\xE0\x80\x81", 1, {1}, 0},
+    {"\xE0\x81\x80", 1, {0x40}, 0},
+    {"\xE1\x80\x80", 1, {0x1000}, 0},
+    {"\xEF\xBF\xBF", 1, {0xFFFF}, 0},
+    {"\xF0\x80\x80\x80", 1, {0}, 0},
+    {"\xF0\x80\x80\x81", 1, {1}, 0},
+    {"\xF0\x80\x81\x80", 1, {0x40}, 0},
+    {"\xF0\x81\x80\x80", 1, {0x1000}, 0},
+    {"\xF1\x80\x80\x80", 1, {0x40000}, 0},
     {"\xF7\xBF\xBF\xBF", 1, {0X1FFFFF}, 1},
 };