Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix issues.

We turn on a few extra warnings and fix the fallout that occurs when building with --enable-developer. Note that we get different warnings on different machines and so this will be a work in progress. So far, we have built on NetBSD/amd64 5.99.64 (which uses gcc 4.5.3) and Ubuntu 10.04.3 LTS (which uses gcc 4.4.3). Notably, we fixed 1. a lot of missing structure initialisers, 2. unchecked return values for functions that glibc marks as __attribute__((warn-unused-result)), 3. made minor modifications to slc and asn1_compile which can generate code which generates warnings, and 4. a few stragglers here and there. We turned off the extended warnings for many programs in appl/ as they are nearing the end of their useful lifetime, e.g. rsh, rcp, popper, ftp and telnet. Interestingly, glibc's strncmp() macro needed to be worked around whereas the function calls did not. We have not yet tried this on 32 bit platforms, so there will be a few more warnings when we do.
2012-02-20 19:45:41 +00:00
parent 8ce8cb509a
commit cc47c8fa7b
147 changed files with 1083 additions and 665 deletions
--- a/lib/asn1/asn1_gen.c
+++ b/lib/asn1/asn1_gen.c
@@ -150,8 +150,8 @@ doit(const char *fn)
 static int version_flag;
 static int help_flag;
 struct getargs args[] = {
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);

--- a/lib/asn1/asn1_print.c
+++ b/lib/asn1/asn1_print.c
@@ -315,10 +315,11 @@ doit (const char *filename)
 static int version_flag;
 static int help_flag;
 struct getargs args[] = {
-    { "indent", 0, arg_negative_flag, &indent_flag },
-    { "inner", 0, arg_flag, &inner_flag, "try to parse inner structures of OCTET STRING" },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "indent", 0, arg_negative_flag, &indent_flag, NULL, NULL },
+    { "inner", 0, arg_flag, &inner_flag,
+      "try to parse inner structures of OCTET STRING", NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);

--- a/lib/asn1/check-common.c
+++ b/lib/asn1/check-common.c
@@ -178,15 +178,20 @@ static RETSIGTYPE
 segv_handler(int sig)
 {
    int fd;
+    ssize_t ret;
    char msg[] = "SIGSEGV i current test: ";

    fd = open("/dev/stdout", O_WRONLY, 0600);
    if (fd >= 0) {
-	write(fd, msg, sizeof(msg));
-	write(fd, current_test, strlen(current_test));
-	write(fd, " ", 1);
-	write(fd, current_state, strlen(current_state));
-	write(fd, "\n", 1);
+	ret = write(fd, msg, sizeof(msg));
+	if (ret != -1)
+	    ret = write(fd, current_test, strlen(current_test));
+	if (ret != -1)
+	    ret = write(fd, " ", 1);
+	if (ret != -1)
+	    ret = write(fd, current_state, strlen(current_state));
+	if (ret != -1)
+	    ret = write(fd, "\n", 1);
 	close(fd);
    }
    _exit(1);
--- a/lib/asn1/check-der.c
+++ b/lib/asn1/check-der.c
@@ -58,16 +58,16 @@ static int
 test_integer (void)
 {
    struct test_case tests[] = {
-	{NULL, 1, "\x00"},
-	{NULL, 1, "\x7f"},
-	{NULL, 2, "\x00\x80"},
-	{NULL, 2, "\x01\x00"},
-	{NULL, 1, "\x80"},
-	{NULL, 2, "\xff\x7f"},
-	{NULL, 1, "\xff"},
-	{NULL, 2, "\xff\x01"},
-	{NULL, 2, "\x00\xff"},
-	{NULL, 4, "\x7f\xff\xff\xff"}
+	{NULL, 1, "\x00",		NULL},
+	{NULL, 1, "\x7f",		NULL},
+	{NULL, 2, "\x00\x80",		NULL},
+	{NULL, 2, "\x01\x00",		NULL},
+	{NULL, 1, "\x80",		NULL},
+	{NULL, 2, "\xff\x7f",		NULL},
+	{NULL, 1, "\xff",		NULL},
+	{NULL, 2, "\xff\x01",		NULL},
+	{NULL, 2, "\x00\xff",		NULL},
+	{NULL, 4, "\x7f\xff\xff\xff",	NULL}
    };

    int values[] = {0, 127, 128, 256, -128, -129, -1, -255, 255,
@@ -184,14 +184,14 @@ static int
 test_unsigned (void)
 {
    struct test_case tests[] = {
-	{NULL, 1, "\x00"},
-	{NULL, 1, "\x7f"},
-	{NULL, 2, "\x00\x80"},
-	{NULL, 2, "\x01\x00"},
-	{NULL, 2, "\x02\x00"},
-	{NULL, 3, "\x00\x80\x00"},
-	{NULL, 5, "\x00\x80\x00\x00\x00"},
-	{NULL, 4, "\x7f\xff\xff\xff"}
+	{NULL, 1, "\x00",			NULL},
+	{NULL, 1, "\x7f",			NULL},
+	{NULL, 2, "\x00\x80",			NULL},
+	{NULL, 2, "\x01\x00",			NULL},
+	{NULL, 2, "\x02\x00",			NULL},
+	{NULL, 3, "\x00\x80\x00",		NULL},
+	{NULL, 5, "\x00\x80\x00\x00\x00",	NULL},
+	{NULL, 4, "\x7f\xff\xff\xff",		NULL}
    };

    unsigned int values[] = {0, 127, 128, 256, 512, 32768,
@@ -237,7 +237,7 @@ test_octet_string (void)
    heim_octet_string s1 = {8, "\x01\x23\x45\x67\x89\xab\xcd\xef"};

    struct test_case tests[] = {
-	{NULL, 8, "\x01\x23\x45\x67\x89\xab\xcd\xef"}
+	{NULL, 8, "\x01\x23\x45\x67\x89\xab\xcd\xef", NULL}
    };
    int ntests = sizeof(tests) / sizeof(*tests);
    int ret;
@@ -278,8 +278,8 @@ test_bmp_string (void)
    heim_bmp_string s2 = { 2, bmp_d2 };

    struct test_case tests[] = {
-	{NULL, 2, "\x00\x20"},
-	{NULL, 4, "\x00\x20\x00\x20"}
+	{NULL, 2, "\x00\x20",		NULL},
+	{NULL, 4, "\x00\x20\x00\x20",	NULL}
    };
    int ntests = sizeof(tests) / sizeof(*tests);
    int ret;
@@ -326,8 +326,8 @@ test_universal_string (void)
    heim_universal_string s2 = { 2, universal_d2 };

    struct test_case tests[] = {
-	{NULL, 4, "\x00\x00\x00\x20"},
-	{NULL, 8, "\x00\x00\x00\x20\x00\x00\x00\x20"}
+	{NULL, 4, "\x00\x00\x00\x20",			NULL},
+	{NULL, 8, "\x00\x00\x00\x20\x00\x00\x00\x20",	NULL}
    };
    int ntests = sizeof(tests) / sizeof(*tests);
    int ret;
@@ -370,7 +370,7 @@ test_general_string (void)
    char *s1 = "Test User 1";

    struct test_case tests[] = {
-	{NULL, 11, "\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31"}
+	{NULL, 11, "\x54\x65\x73\x74\x20\x55\x73\x65\x72\x20\x31", NULL}
    };
    int ret, ntests = sizeof(tests) / sizeof(*tests);

@@ -404,8 +404,8 @@ static int
 test_generalized_time (void)
 {
    struct test_case tests[] = {
-	{NULL, 15, "19700101000000Z"},
-	{NULL, 15, "19851106210627Z"}
+	{NULL, 15, "19700101000000Z",	NULL},
+	{NULL, 15, "19851106210627Z",	NULL}
    };
    time_t values[] = {0, 500159187};
    int i, ret;
@@ -446,10 +446,10 @@ static int
 test_oid (void)
 {
    struct test_case tests[] = {
-	{NULL, 2, "\x29\x01"},
-	{NULL, 1, "\x29"},
-	{NULL, 2, "\xff\x01"},
-	{NULL, 1, "\xff"}
+	{NULL, 2, "\x29\x01",	NULL},
+	{NULL, 1, "\x29",	NULL},
+	{NULL, 2, "\xff\x01",	NULL},
+	{NULL, 1, "\xff",	NULL}
    };
    heim_oid values[] = {
 	{ 3, oid_comp1 },
@@ -490,7 +490,7 @@ static int
 test_bit_string (void)
 {
    struct test_case tests[] = {
-	{NULL, 1, "\x00"}
+	{NULL, 1, "\x00", NULL}
    };
    heim_bit_string values[] = {
 	{ 0, "" }
@@ -528,13 +528,13 @@ static int
 test_heim_integer (void)
 {
    struct test_case tests[] = {
-	{NULL, 2, "\xfe\x01"},
-	{NULL, 2, "\xef\x01"},
-	{NULL, 3, "\xff\x00\xff"},
-	{NULL, 3, "\xff\x01\x00"},
-	{NULL, 1, "\x00"},
-	{NULL, 1, "\x01"},
-	{NULL, 2, "\x00\x80"}
+	{NULL, 2, "\xfe\x01",		NULL},
+	{NULL, 2, "\xef\x01",		NULL},
+	{NULL, 3, "\xff\x00\xff",	NULL},
+	{NULL, 3, "\xff\x01\x00",	NULL},
+	{NULL, 1, "\x00",		NULL},
+	{NULL, 1, "\x01",		NULL},
+	{NULL, 2, "\x00\x80",		NULL}
    };

    heim_integer values[] = {
@@ -592,8 +592,8 @@ static int
 test_boolean (void)
 {
    struct test_case tests[] = {
-	{NULL, 1, "\xff"},
-	{NULL, 1, "\x00"}
+	{NULL, 1, "\xff", NULL},
+	{NULL, 1, "\x00", NULL}
    };

    int values[] = { 1, 0 };
--- a/lib/asn1/check-gen.c
+++ b/lib/asn1/check-gen.c
@@ -98,18 +98,21 @@ test_principal (void)
    struct test_case tests[] = {
 	{ NULL, 29,
 	  "\x30\x1b\xa0\x10\x30\x0e\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b"
-	  "\x03\x6c\x68\x61\xa1\x07\x1b\x05\x53\x55\x2e\x53\x45"
+	  "\x03\x6c\x68\x61\xa1\x07\x1b\x05\x53\x55\x2e\x53\x45",
+	  NULL
 	},
 	{ NULL, 35,
 	  "\x30\x21\xa0\x16\x30\x14\xa0\x03\x02\x01\x01\xa1\x0d\x30\x0b\x1b"
 	  "\x03\x6c\x68\x61\x1b\x04\x72\x6f\x6f\x74\xa1\x07\x1b\x05\x53\x55"
-	  "\x2e\x53\x45"
+	  "\x2e\x53\x45",
+	  NULL
 	},
 	{ NULL, 54,
 	  "\x30\x34\xa0\x26\x30\x24\xa0\x03\x02\x01\x03\xa1\x1d\x30\x1b\x1b"
 	  "\x04\x68\x6f\x73\x74\x1b\x13\x6e\x75\x74\x63\x72\x61\x63\x6b\x65"
 	  "\x72\x2e\x65\x2e\x6b\x74\x68\x2e\x73\x65\xa1\x0a\x1b\x08\x45\x2e"
-	  "\x4b\x54\x48\x2e\x53\x45"
+	  "\x4b\x54\x48\x2e\x53\x45",
+	  NULL
 	}
    };

@@ -171,7 +174,8 @@ test_authenticator (void)
 	  "\x45\x2e\x4b\x54\x48\x2e\x53\x45\xa2\x10\x30\x0e\xa0"
 	  "\x03\x02\x01\x01\xa1\x07\x30\x05\x1b\x03\x6c\x68\x61"
 	  "\xa4\x03\x02\x01\x0a\xa5\x11\x18\x0f\x31\x39\x37\x30"
-	  "\x30\x31\x30\x31\x30\x30\x30\x31\x33\x39\x5a"
+	  "\x30\x31\x30\x31\x30\x30\x30\x31\x33\x39\x5a",
+	  NULL
 	},
 	{ NULL, 67,
 	  "\x62\x41\x30\x3f\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05"
@@ -179,7 +183,8 @@ test_authenticator (void)
 	  "\x01\xa1\x0d\x30\x0b\x1b\x03\x6c\x68\x61\x1b\x04\x72"
 	  "\x6f\x6f\x74\xa4\x04\x02\x02\x01\x24\xa5\x11\x18\x0f"
 	  "\x31\x39\x37\x30\x30\x31\x30\x31\x30\x30\x31\x36\x33"
-	  "\x39\x5a"
+	  "\x39\x5a",
+	  NULL
 	}
    };

@@ -532,7 +537,7 @@ test_time (void)
 	  "time 1" },
 	{ NULL,  17,
 	  "\x18\x0f\x32\x30\x30\x39\x30\x35\x32\x34\x30\x32\x30\x32\x34\x30"
-	  "\x5a"
+	  "\x5a",
 	  "time 2" }
    };

@@ -1185,7 +1190,7 @@ check_fail_largetag(void)
 	{NULL, 0, "", "empty buffer"},
 	{NULL, 7, "\x30\x05\xa1\x03\x02\x02\x01",
 	 "one too short" },
-	{NULL, 7, "\x30\x04\xa1\x03\x02\x02\x01"
+	{NULL, 7, "\x30\x04\xa1\x03\x02\x02\x01",
 	 "two too short" },
 	{NULL, 7, "\x30\x03\xa1\x03\x02\x02\x01",
 	 "three too short" },
@@ -1220,7 +1225,7 @@ check_fail_sequence(void)
 	{NULL, 0, "", "empty buffer"},
 	{NULL, 24,
 	 "\x30\x16\xa0\x03\x02\x01\x01\xa1\x08\x30\x06\xbf\x7f\x03\x02\x01\x01"
-	 "\x02\x01\x01\xa2\x03\x02\x01\x01"
+	 "\x02\x01\x01\xa2\x03\x02\x01\x01",
 	 "missing one byte from the end, internal length ok"},
 	{NULL, 25,
 	 "\x30\x18\xa0\x03\x02\x01\x01\xa1\x08\x30\x06\xbf\x7f\x03\x02\x01\x01"
--- a/lib/asn1/gen_decode.c
+++ b/lib/asn1/gen_decode.c
@@ -193,7 +193,7 @@ range_check(const char *name,
 		 "e = ASN1_MAX_CONSTRAINT; %s;\n"
 		 "}\n",
 		 name, length, (long long)r->max, forwstr);
-    if (r->min - 1 == r->max || r->min < r->max)
+    if ((r->min - 1 == r->max || r->min < r->max) && r->min > 0)
 	fprintf (codefile,
 		 "if ((%s)->%s < %lld) {\n"
 		 "e = ASN1_MIN_CONSTRAINT; %s;\n"
--- a/lib/asn1/gen_encode.c
+++ b/lib/asn1/gen_encode.c
@@ -50,7 +50,7 @@ classname(Der_class class)
 {
    const char *cn[] = { "ASN1_C_UNIV", "ASN1_C_APPL",
 			 "ASN1_C_CONTEXT", "ASN1_C_PRIV" };
-    if(class < ASN1_C_UNIV || class > ASN1_C_PRIVATE)
+    if(class > ASN1_C_PRIVATE)
 	return "???";
    return cn[class];
 }
--- a/lib/asn1/main.c
+++ b/lib/asn1/main.c
@@ -70,16 +70,16 @@ char *option_file;
 int version_flag;
 int help_flag;
 struct getargs args[] = {
-    { "template", 0, arg_flag, &template_flag },
-    { "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring },
-    { "decode-dce-ber", 0, arg_flag, &support_ber },
-    { "support-ber", 0, arg_flag, &support_ber },
-    { "preserve-binary", 0, arg_strings, &preserve },
-    { "sequence", 0, arg_strings, &seq },
-    { "one-code-file", 0, arg_flag, &one_code_file },
-    { "option-file", 0, arg_string, &option_file },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "template", 0, arg_flag, &template_flag, NULL, NULL },
+    { "encode-rfc1510-bit-string", 0, arg_flag, &rfc1510_bitstring, NULL, NULL},
+    { "decode-dce-ber", 0, arg_flag, &support_ber, NULL, NULL },
+    { "support-ber", 0, arg_flag, &support_ber, NULL, NULL },
+    { "preserve-binary", 0, arg_strings, &preserve, NULL, NULL },
+    { "sequence", 0, arg_strings, &seq, NULL, NULL },
+    { "one-code-file", 0, arg_flag, &one_code_file, NULL, NULL },
+    { "option-file", 0, arg_string, &option_file, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);

--- a/lib/com_err/compile_et.c
+++ b/lib/com_err/compile_et.c
@@ -186,8 +186,8 @@ generate(void)
 int version_flag;
 int help_flag;
 struct getargs args[] = {
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);

--- a/lib/gssapi/krb5/external.c
+++ b/lib/gssapi/krb5/external.c
@@ -202,67 +202,131 @@ static gss_mo_desc krb5_mo[] = {
    },
    {
 	GSS_C_MA_MECH_CONCRETE,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_ITOK_FRAMED,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_AUTH_INIT,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_AUTH_TARG,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_AUTH_INIT_ANON,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_DELEG_CRED,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_INTEG_PROT,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_CONF_PROT,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_MIC,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_WRAP,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_PROT_READY,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_REPLAY_DET,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_OOS_DET,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_CBINDINGS,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_PFS,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_CTX_TRANS,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    }
 };

--- a/lib/gssapi/mech/gss_oid.c
+++ b/lib/gssapi/mech/gss_oid.c
@@ -254,13 +254,13 @@ struct _gss_oid_name_table _gss_ont_ma[] = {
  { GSS_C_MA_AUTH_INIT_INIT, "GSS_C_MA_AUTH_INIT_INIT", "auth-init-princ-initial", "" },
  { GSS_C_MA_MECH_CONCRETE, "GSS_C_MA_MECH_CONCRETE", "concrete-mech", "Indicates that a mech is neither a pseudo-mechanism nor a composite mechanism" },
  { GSS_C_MA_SASL_MECH_NAME, "GSS_C_MA_SASL_MECH_NAME", "SASL mechanism name", "The name of the SASL mechanism" },
-  { NULL }
+  { NULL, NULL, NULL, NULL }
 };

 struct _gss_oid_name_table _gss_ont_mech[] = {
  { GSS_KRB5_MECHANISM, "GSS_KRB5_MECHANISM", "Kerberos 5", "Heimdal Kerberos 5 mechanism" },
  { GSS_SPNEGO_MECHANISM, "GSS_SPNEGO_MECHANISM", "SPNEGO", "Heimdal SPNEGO mechanism" },
  { GSS_NTLM_MECHANISM, "GSS_NTLM_MECHANISM", "NTLM", "Heimdal NTLM mechanism" },
-  { NULL }
+  { NULL, NULL, NULL, NULL }
 };

--- a/lib/gssapi/ntlm/external.c
+++ b/lib/gssapi/ntlm/external.c
@@ -120,6 +120,9 @@ static gssapi_mech_interface_desc ntlm_mech = {
    NULL,
    NULL,
    NULL,
+    NULL,
+    NULL,
+    NULL,
 };

 gssapi_mech_interface
--- a/lib/gssapi/ntlm/init_sec_context.c
+++ b/lib/gssapi/ntlm/init_sec_context.c
@@ -103,6 +103,7 @@ get_user_ccache(const ntlm_name name, char **username, struct ntlm_buf *key)
    krb5_error_code ret;
    char *confname;
    krb5_data data;
+    int aret;

    *username = NULL;
    krb5_data_zero(&data);
@@ -128,8 +129,8 @@ get_user_ccache(const ntlm_name name, char **username, struct ntlm_buf *key)
    if (ret)
 	goto out;

-    asprintf(&confname, "ntlm-key-%s", name->domain);
-    if (confname == NULL) {
+    aret = asprintf(&confname, "ntlm-key-%s", name->domain);
+    if (aret == -1) {
 	krb5_clear_error_message(context);
 	ret = ENOMEM;
 	goto out;
--- a/lib/gssapi/spnego/external.c
+++ b/lib/gssapi/spnego/external.c
@@ -66,11 +66,19 @@ static gss_mo_desc spnego_mo[] = {
    },
    {
 	GSS_C_MA_MECH_NEGO,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    },
    {
 	GSS_C_MA_MECH_PSEUDO,
-	GSS_MO_MA
+	GSS_MO_MA,
+	NULL,
+	NULL,
+	NULL,
+	NULL
    }
 };

@@ -134,6 +142,9 @@ static gssapi_mech_interface_desc spnego_mech = {
    NULL,
    NULL,
    NULL,
+    NULL,
+    NULL,
+    NULL,
 };

 gssapi_mech_interface
--- a/lib/hdb/db3.c
+++ b/lib/hdb/db3.c
@@ -176,16 +176,24 @@ DB_rename(krb5_context context, HDB *db, const char *new_name)
    int ret;
    char *old, *new;

-    asprintf(&old, "%s.db", db->hdb_name);
-    asprintf(&new, "%s.db", new_name);
+    ret = asprintf(&old, "%s.db", db->hdb_name);
+    if (ret == -1)
+	return ENOMEM;
+    ret = asprintf(&new, "%s.db", new_name);
+    if (ret == -1) {
+	free(old);
+	return ENOMEM;
+    }
    ret = rename(old, new);
    free(old);
-    free(new);
-    if(ret)
+    if(ret) {
+	free(new);
 	return errno;
+    }

    free(db->hdb_name);
-    db->hdb_name = strdup(new_name);
+    new[strlen(new) - 3] = '\0';
+    db->hdb_name = new;
    return 0;
 }

@@ -271,6 +279,7 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
    krb5_error_code ret;
    DB *d;
    int myflags = 0;
+    int aret;

    if (flags & O_CREAT)
      myflags |= DB_CREATE;
@@ -284,8 +293,8 @@ DB_open(krb5_context context, HDB *db, int flags, mode_t mode)
    if (flags & O_TRUNC)
      myflags |= DB_TRUNCATE;

-    asprintf(&fn, "%s.db", db->hdb_name);
-    if (fn == NULL) {
+    aret = asprintf(&fn, "%s.db", db->hdb_name);
+    if (aret == -1) {
 	krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
 	return ENOMEM;
    }
--- a/lib/hdb/dbinfo.c
+++ b/lib/hdb/dbinfo.c
@@ -153,12 +153,14 @@ hdb_get_dbinfo(krb5_context context, struct hdb_dbinfo **dbp)
 	    p = strrchr(di->dbname, '.');
 	    if(p == NULL || strchr(p, '/') != NULL)
 		/* final pathname component does not contain a . */
-		asprintf(&di->mkey_file, "%s.mkey", di->dbname);
+		ret = asprintf(&di->mkey_file, "%s.mkey", di->dbname);
 	    else
 		/* the filename is something.else, replace .else with
                   .mkey */
-		asprintf(&di->mkey_file, "%.*s.mkey",
-			 (int)(p - di->dbname), di->dbname);
+		ret = asprintf(&di->mkey_file, "%.*s.mkey",
+			       (int)(p - di->dbname), di->dbname);
+	    if (ret == -1)
+		return ENOMEM;
 	}
 	if(di->acl_file == NULL)
 	    di->acl_file = strdup(default_acl);
--- a/lib/hdb/keytab.c
+++ b/lib/hdb/keytab.c
@@ -420,5 +420,7 @@ krb5_kt_ops hdb_kt_ops = {
    hdb_next_entry,
    hdb_end_seq_get,
    NULL,		/* add */
-    NULL		/* remove */
+    NULL,		/* remove */
+    NULL,
+    0
 };
--- a/lib/hdb/test_dbinfo.c
+++ b/lib/hdb/test_dbinfo.c
@@ -38,8 +38,8 @@ static int help_flag;
 static int version_flag;

 struct getargs args[] = {
-    { "help",		'h',	arg_flag,   &help_flag },
-    { "version",	0,	arg_flag,   &version_flag }
+    { "help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    { "version",	0,	arg_flag,   &version_flag, NULL, NULL }
 };

 static int num_args = sizeof(args) / sizeof(args[0]);
--- a/lib/hdb/test_hdbkeys.c
+++ b/lib/hdb/test_hdbkeys.c
@@ -40,9 +40,9 @@ static int version_flag;
 static int kvno_integer = 1;

 struct getargs args[] = {
-    { "kvno",		'd',	arg_integer, &kvno_integer },
-    { "help",		'h',	arg_flag,   &help_flag },
-    { "version",	0,	arg_flag,   &version_flag }
+    { "kvno",		'd',	arg_integer, &kvno_integer, NULL, NULL },
+    { "help",		'h',	arg_flag,    &help_flag,    NULL, NULL },
+    { "version",	0,	arg_flag,    &version_flag, NULL, NULL }
 };

 static int num_args = sizeof(args) / sizeof(args[0]);
--- a/lib/hdb/test_mkey.c
+++ b/lib/hdb/test_mkey.c
@@ -8,9 +8,9 @@ static int help_flag;
 static int version_flag;

 struct getargs args[] = {
-    { "mkey-file",	0,      arg_string, &mkey_file },
-    { "help",		'h',	arg_flag,   &help_flag },
-    { "version",	0,	arg_flag,   &version_flag }
+    { "mkey-file",	0,      arg_string, &mkey_file,    NULL, NULL },
+    { "help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    { "version",	0,	arg_flag,   &version_flag, NULL, NULL }
 };

 static int num_args = sizeof(args) / sizeof(args[0]);
--- a/lib/hx509/ca.c
+++ b/lib/hx509/ca.c
@@ -965,8 +965,8 @@ build_proxy_prefix(hx509_context context, const Name *issuer, Name *subject)
    }

    t = time(NULL);
-    asprintf(&tstr, "ts-%lu", (unsigned long)t);
-    if (tstr == NULL) {
+    ret = asprintf(&tstr, "ts-%lu", (unsigned long)t);
+    if (ret == -1 || tstr == NULL) {
 	hx509_set_error_string(context, 0, ENOMEM,
 			       "Failed to copy subject name");
 	return ENOMEM;
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -3425,7 +3425,9 @@ _hx509_cert_to_env(hx509_context context, hx509_cert cert, hx509_env *env)
    *env = NULL;

    /* version */
-    asprintf(&buf, "%d", _hx509_cert_get_version(_hx509_get_cert(cert)));
+    ret = asprintf(&buf, "%d", _hx509_cert_get_version(_hx509_get_cert(cert)));
+    if (ret == -1)
+	goto out;
    ret = hx509_env_add(context, &envcert, "version", buf);
    free(buf);
    if (ret)
--- a/lib/hx509/cms.c
+++ b/lib/hx509/cms.c
@@ -209,7 +209,7 @@ unparse_CMSIdentifier(hx509_context context,
 		      CMSIdentifier *id,
 		      char **str)
 {
-    int ret;
+    int ret = -1;

    *str = NULL;
    switch (id->element) {
@@ -227,8 +227,8 @@ unparse_CMSIdentifier(hx509_context context,
 	    free(name);
 	    return ret;
 	}
-	asprintf(str, "certificate issued by %s with serial number %s",
-		 name, serial);
+	ret = asprintf(str, "certificate issued by %s with serial number %s",
+		       name, serial);
 	free(name);
 	free(serial);
 	break;
@@ -242,15 +242,19 @@ unparse_CMSIdentifier(hx509_context context,
 	if (len < 0)
 	    return ENOMEM;

-	asprintf(str, "certificate with id %s", keyid);
+	ret = asprintf(str, "certificate with id %s", keyid);
 	free(keyid);
 	break;
    }
    default:
-	asprintf(str, "certificate have unknown CMSidentifier type");
+	ret = asprintf(str, "certificate have unknown CMSidentifier type");
 	break;
    }
-    if (*str == NULL)
+    /*
+     * In the following if, we check ret and *str which should be returned/set
+     * by asprintf(3) in every branch of the switch statement.
+     */
+    if (ret == -1 || *str == NULL)
 	return ENOMEM;
    return 0;
 }
--- a/lib/hx509/error.c
+++ b/lib/hx509/error.c
@@ -194,13 +194,14 @@ hx509_err(hx509_context context, int exit_code,
    va_list ap;
    const char *msg;
    char *str;
+    int ret;

    va_start(ap, fmt);
-    vasprintf(&str, fmt, ap);
+    ret = vasprintf(&str, fmt, ap);
    va_end(ap);
    msg = hx509_get_error_string(context, error_code);
    if (msg == NULL)
 	msg = "no error";

-    errx(exit_code, "%s: %s", str, msg);
+    errx(exit_code, "%s: %s", ret != -1 ? str : "ENOMEM", msg);
 }
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -372,9 +372,9 @@ cms_create_sd(struct cms_create_sd_options *opt, int argc, char **argv)
    infile = argv[0];

    if (argc < 2) {
-	asprintf(&outfile, "%s.%s", infile,
-		 opt->pem_flag ? "pem" : "cms-signeddata");
-	if (outfile == NULL)
+	ret = asprintf(&outfile, "%s.%s", infile,
+		       opt->pem_flag ? "pem" : "cms-signeddata");
+	if (ret == -1 || outfile == NULL)
 	    errx(1, "out of memory");
    } else
 	outfile = argv[1];
--- a/lib/hx509/keyset.c
+++ b/lib/hx509/keyset.c
@@ -752,11 +752,12 @@ _hx509_pi_printf(int (*func)(void *, const char *), void *ctx,
 {
    va_list ap;
    char *str;
+    int ret;

    va_start(ap, fmt);
-    vasprintf(&str, fmt, ap);
+    ret = vasprintf(&str, fmt, ap);
    va_end(ap);
-    if (str == NULL)
+    if (ret == -1 || str == NULL)
 	return;
    (*func)(ctx, str);
    free(str);
--- a/lib/hx509/ks_dir.c
+++ b/lib/hx509/ks_dir.c
@@ -211,7 +211,10 @@ static struct hx509_keyset_ops keyset_dir = {
    NULL,
    dir_iter_start,
    dir_iter,
-    dir_iter_end
+    dir_iter_end,
+    NULL,
+    NULL,
+    NULL
 };

 void
--- a/lib/hx509/ks_null.c
+++ b/lib/hx509/ks_null.c
@@ -87,7 +87,10 @@ struct hx509_keyset_ops keyset_null = {
    NULL,
    null_iter_start,
    null_iter,
-    null_iter_end
+    null_iter_end,
+    NULL,
+    NULL,
+    NULL
 };

 void
--- a/lib/hx509/ks_p11.c
+++ b/lib/hx509/ks_p11.c
@@ -226,6 +226,7 @@ static const RSA_METHOD p11_rsa_pkcs1_method = {
    0,
    NULL,
    NULL,
+    NULL,
    NULL
 };

@@ -330,8 +331,10 @@ p11_init_slot(hx509_context context,
 	break;
    }

-    asprintf(&slot->name, "%.*s",
-	     (int)i, slot_info.slotDescription);
+    ret = asprintf(&slot->name, "%.*s", (int)i,
+		   slot_info.slotDescription);
+    if (ret == -1)
+	return ENOMEM;

    if ((slot_info.flags & CKF_TOKEN_PRESENT) == 0)
 	return 0;
@@ -422,7 +425,12 @@ p11_get_session(hx509_context context,

 	    memset(&prompt, 0, sizeof(prompt));

-	    asprintf(&str, "PIN code for %s: ", slot->name);
+	    ret = asprintf(&str, "PIN code for %s: ", slot->name);
+	    if (ret == -1 || str == NULL) {
+		if (context)
+		    hx509_set_error_string(context, 0, ENOMEM, "out of memory");
+		return ENOMEM;
+	    }
 	    prompt.prompt = str;
 	    prompt.type = HX509_PROMPT_TYPE_PASSWORD;
 	    prompt.reply.data = pin;
@@ -717,9 +725,9 @@ collect_cert(hx509_context context,
    if ((CK_LONG)query[2].ulValueLen != -1) {
 	char *str;

-	asprintf(&str, "%.*s",
-		 (int)query[2].ulValueLen, (char *)query[2].pValue);
-	if (str) {
+	ret = asprintf(&str, "%.*s",
+		       (int)query[2].ulValueLen, (char *)query[2].pValue);
+	if (ret != -1 && str) {
 	    hx509_cert_set_friendly_name(cert, str);
 	    free(str);
 	}
@@ -1176,7 +1184,9 @@ static struct hx509_keyset_ops keyset_pkcs11 = {
    p11_iter_start,
    p11_iter,
    p11_iter_end,
-    p11_printinfo
+    p11_printinfo,
+    NULL,
+    NULL
 };

 #endif /* HAVE_DLOPEN */
--- a/lib/hx509/ks_p12.c
+++ b/lib/hx509/ks_p12.c
@@ -697,7 +697,10 @@ static struct hx509_keyset_ops keyset_pkcs12 = {
    NULL,
    p12_iter_start,
    p12_iter,
-    p12_iter_end
+    p12_iter_end,
+    NULL,
+    NULL,
+    NULL
 };

 void
--- a/lib/hx509/lock.c
+++ b/lib/hx509/lock.c
@@ -47,7 +47,10 @@ struct hx509_lock_data {
 };

 static struct hx509_lock_data empty_lock_data = {
-    { 0, NULL }
+    { 0, NULL },
+    NULL,
+    NULL,
+    NULL
 };

 hx509_lock _hx509_empty_lock = &empty_lock_data;
--- a/lib/hx509/softp11.c
+++ b/lib/hx509/softp11.c
@@ -615,7 +615,11 @@ add_certificate(const char *cert_file,

    if (pin) {
 	char *str;
-	asprintf(&str, "PASS:%s", pin);
+	ret = asprintf(&str, "PASS:%s", pin);
+	if (ret == -1 || !str) {
+	    st_logf("failed to allocate memory\n");
+	    return CKR_GENERAL_ERROR;
+	}

 	hx509_lock_init(context, &lock);
 	hx509_lock_command_string(lock, str);
@@ -815,6 +819,7 @@ get_config_file_for_user(void)

 #ifndef _WIN32
    char *home = NULL;
+    int ret;

    if (!issuid()) {
        fn = getenv("SOFTPKCS11RC");
@@ -828,9 +833,11 @@ get_config_file_for_user(void)
            home = pw->pw_dir;
    }
    if (fn == NULL) {
-        if (home)
-            asprintf(&fn, "%s/.soft-token.rc", home);
-        else
+        if (home) {
+            ret = asprintf(&fn, "%s/.soft-token.rc", home);
+	    if (ret == -1)
+		fn = NULL;
+        } else
            fn = strdup("/etc/soft-token.rc");
    }
 #else  /* Windows */
@@ -1205,8 +1212,13 @@ C_Login(CK_SESSION_HANDLE hSession,
    VERIFY_SESSION_HANDLE(hSession, NULL);

    if (pPin != NULL_PTR) {
-	asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
-	st_logf("type: %d password: %s\n", (int)userType, pin);
+	int aret;
+
+	aret = asprintf(&pin, "%.*s", (int)ulPinLen, pPin);
+	if (aret != -1 && pin)
+		st_logf("type: %d password: %s\n", (int)userType, pin);
+	else
+		st_logf("memory error: asprintf failed\n");
    }

    /*
--- a/lib/ipc/client.c
+++ b/lib/ipc/client.c
@@ -352,10 +352,12 @@ common_path_init(const char *service,
 	return ENOMEM;
    s->fd = -1;

-    asprintf(&s->path, "/var/run/.heim_%s-%s", service, file);
+    if (asprintf(&s->path, "/var/run/.heim_%s-%s", service, file) == -1) {
+	free(s);
+	return ENOMEM;
+    }

    *ctx = s;
-
    return 0;
 }

--- a/lib/ipc/tc.c
+++ b/lib/ipc/tc.c
@@ -46,8 +46,8 @@ static int help_flag;
 static int version_flag;

 static struct getargs args[] = {
-    {	"help",		'h',	arg_flag,   &help_flag },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };

 static int num_args = sizeof(args) / sizeof(args[0]);
--- a/lib/ipc/ts-http.c
+++ b/lib/ipc/ts-http.c
@@ -44,8 +44,8 @@ static int help_flag;
 static int version_flag;

 static struct getargs args[] = {
-    {	"help",		'h',	arg_flag,   &help_flag },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };

 static int num_args = sizeof(args) / sizeof(args[0]);
--- a/lib/ipc/ts.c
+++ b/lib/ipc/ts.c
@@ -44,8 +44,8 @@ static int help_flag;
 static int version_flag;

 static struct getargs args[] = {
-    {	"help",		'h',	arg_flag,   &help_flag },
-    {	"version",	'v',	arg_flag,   &version_flag }
+    {	"help",		'h',	arg_flag,   &help_flag,    NULL, NULL },
+    {	"version",	'v',	arg_flag,   &version_flag, NULL, NULL }
 };

 static int num_args = sizeof(args) / sizeof(args[0]);
--- a/lib/kadm5/ad.c
+++ b/lib/kadm5/ad.c
@@ -484,13 +484,14 @@ ad_get_cred(kadm5_ad_context *context, const char *password)
    kadm5_ret_t ret;
    krb5_ccache cc;
    char *service;
+    int aret;

    if (context->ccache)
 	return 0;

-    asprintf(&service, "%s/%s@%s", KRB5_TGS_NAME,
-	     context->realm, context->realm);
-    if (service == NULL)
+    aret = asprintf(&service, "%s/%s@%s", KRB5_TGS_NAME,
+		    context->realm, context->realm);
+    if (aret == -1 || service == NULL)
 	return ENOMEM;

    ret = _kadm5_c_get_cred_cache(context->context,
--- a/lib/kadm5/context_s.c
+++ b/lib/kadm5/context_s.c
@@ -130,6 +130,7 @@ find_db_spec(kadm5_server_context *ctx)
    krb5_context context = ctx->context;
    struct hdb_dbinfo *info, *d;
    krb5_error_code ret;
+    int aret;

    if (ctx->config.realm) {
 	/* fetch the databases */
@@ -169,12 +170,24 @@ find_db_spec(kadm5_server_context *ctx)

    if (ctx->config.dbname == NULL)
 	ctx->config.dbname = strdup(hdb_default_db(context));
-    if (ctx->config.acl_file == NULL)
-	asprintf(&ctx->config.acl_file, "%s/kadmind.acl", hdb_db_dir(context));
-    if (ctx->config.stash_file == NULL)
-	asprintf(&ctx->config.stash_file, "%s/m-key", hdb_db_dir(context));
-    if (ctx->log_context.log_file == NULL)
-	asprintf(&ctx->log_context.log_file, "%s/log", hdb_db_dir(context));
+    if (ctx->config.acl_file == NULL) {
+	aret = asprintf(&ctx->config.acl_file, "%s/kadmind.acl",
+			hdb_db_dir(context));
+	if (aret == -1)
+	    return ENOMEM;
+    }
+    if (ctx->config.stash_file == NULL) {
+	aret = asprintf(&ctx->config.stash_file, "%s/m-key",
+			hdb_db_dir(context));
+	if (aret == -1)
+	    return ENOMEM;
+    }
+    if (ctx->log_context.log_file == NULL) {
+	aret = asprintf(&ctx->log_context.log_file, "%s/log",
+			hdb_db_dir(context));
+	if (aret == -1)
+	    return ENOMEM;
+    }

 #ifndef NO_UNIX_SOCKETS
    set_socket_name(context, &ctx->log_context.socket_name);
--- a/lib/kadm5/get_princs_s.c
+++ b/lib/kadm5/get_princs_s.c
@@ -96,9 +96,14 @@ kadm5_s_get_principals(void *server_handle,
    d.exp = expression;
    {
 	krb5_realm r;
+	int aret;
+
 	krb5_get_default_realm(context->context, &r);
-	asprintf(&d.exp2, "%s@%s", expression, r);
+	aret = asprintf(&d.exp2, "%s@%s", expression, r);
 	free(r);
+	if (aret == -1 || d.exp2 == NULL) {
+	    return ENOMEM;
+	}
    }
    d.princs = NULL;
    d.count = 0;
--- a/lib/kadm5/init_c.c
+++ b/lib/kadm5/init_c.c
@@ -479,11 +479,12 @@ kadm_connect(kadm5_client_context *ctx)
    }

    if (ctx->realm)
-	asprintf(&service_name, "%s@%s", KADM5_ADMIN_SERVICE, ctx->realm);
+	error = asprintf(&service_name, "%s@%s", KADM5_ADMIN_SERVICE,
+			 ctx->realm);
    else
-	asprintf(&service_name, "%s", KADM5_ADMIN_SERVICE);
+	error = asprintf(&service_name, "%s", KADM5_ADMIN_SERVICE);

-    if (service_name == NULL) {
+    if (error == -1 || service_name == NULL) {
 	freeaddrinfo (ai);
 	rk_closesocket(s);
 	krb5_clear_error_message(context);
--- a/lib/kadm5/iprop-log.c
+++ b/lib/kadm5/iprop-log.c
@@ -47,11 +47,12 @@ get_kadmin_context(const char *config_file, char *realm)
    krb5_error_code ret;
    void *kadm_handle;
    char **files;
+    int aret;

    if (config_file == NULL) {
 	char *file;
-	asprintf(&file, "%s/kdc.conf", hdb_db_dir(context));
-	if (file == NULL)
+	aret = asprintf(&file, "%s/kdc.conf", hdb_db_dir(context));
+	if (aret == -1 || file == NULL)
 	    errx(1, "out of memory");
 	config_file = file;
    }
--- a/lib/kadm5/ipropd_master.c
+++ b/lib/kadm5/ipropd_master.c
@@ -623,24 +623,25 @@ open_stats(krb5_context context)
 {
    char *statfile = NULL;
    const char *fn;
-    FILE *f;
+    int ret;

    if (slave_stats_file)
 	fn = slave_stats_file;
    else {
-	asprintf(&statfile,  "%s/slaves-stats", hdb_db_dir(context));
+	ret = asprintf(&statfile,  "%s/slaves-stats", hdb_db_dir(context));
+	if (ret == -1)
+	    return NULL;
 	fn = krb5_config_get_string_default(context,
 					    NULL,
 					    statfile,
 					    "kdc",
 					    "iprop-stats",
 					    NULL);
-    }
-    f = fopen(fn, "w");
-    if (statfile)
 	free(statfile);
-
-    return f;
+    }
+    if (fn == NULL)
+	return NULL;
+    return fopen(fn, "w");
 }

 static void
@@ -776,6 +777,7 @@ main(int argc, char **argv)
    uint32_t current_version = 0, old_version = 0;
    krb5_keytab keytab;
    char **files;
+    int aret;

    (void) krb5_program_setup(&context, argc, argv, args, num_args, NULL);

@@ -789,8 +791,8 @@ main(int argc, char **argv)
    setup_signal();

    if (config_file == NULL) {
-	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
-	if (config_file == NULL)
+	aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+	if (aret == -1 || config_file == NULL)
 	    errx(1, "out of memory");
    }

@@ -811,8 +813,13 @@ main(int argc, char **argv)
 	krb5_errx (context, 1, "couldn't parse time: %s", slave_time_missing);

 #ifdef SUPPORT_DETACH
-    if (detach_from_console)
-	daemon(0, 0);
+    if (detach_from_console) {
+	aret = daemon(0, 0);
+	if (aret == -1) {
+	    /* not much to do if detaching fails... */
+	    krb5_err(context, 1, aret, "failed to daemon(3)ise");
+	}
+    }
 #endif
    pidfile (NULL);
    krb5_openlog (context, "ipropd-master", &log_facility);
--- a/lib/kadm5/ipropd_slave.c
+++ b/lib/kadm5/ipropd_slave.c
@@ -107,6 +107,7 @@ get_creds(krb5_context context, const char *keytab_str,
    krb5_creds creds;
    char *server;
    char keytab_buf[256];
+    int aret;

    if (keytab_str == NULL) {
 	ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf));
@@ -127,8 +128,8 @@ get_creds(krb5_context context, const char *keytab_str,
    ret = krb5_get_init_creds_opt_alloc(context, &init_opts);
    if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");

-    asprintf (&server, "%s/%s", IPROP_NAME, serverhost);
-    if (server == NULL)
+    aret = asprintf (&server, "%s/%s", IPROP_NAME, serverhost);
+    if (aret == -1 || server == NULL)
 	krb5_errx (context, 1, "malloc: no memory");

    ret = krb5_get_init_creds_keytab(context, &creds, client, keytab,
@@ -374,7 +375,9 @@ receive_everything (krb5_context context, int fd,

    krb5_warnx(context, "receive complete database");

-    asprintf(&dbname, "%s-NEW", server_context->db->hdb_name);
+    ret = asprintf(&dbname, "%s-NEW", server_context->db->hdb_name);
+    if (ret == -1)
+	krb5_err(context, 1, ENOMEM, "asprintf");
    ret = hdb_create(context, &mydb, dbname);
    if(ret)
 	krb5_err(context,1, ret, "hdb_create");
@@ -563,6 +566,7 @@ main(int argc, char **argv)
    time_t reconnect_max;
    time_t reconnect;
    time_t before = 0;
+    int aret;

    const char *master;

@@ -615,8 +619,13 @@ main(int argc, char **argv)
    slave_status(context, status_file, "bootstrapping\n");

 #ifdef SUPPORT_DETACH
-    if (detach_from_console)
-	daemon(0, 0);
+    if (detach_from_console){
+	aret = daemon(0, 0);
+	if (aret == -1) {
+	    /* not much to do if detaching fails... */
+	    krb5_err(context, 1, aret, "failed to daemon(3)ise");
+	}
+    }
 #endif
    pidfile (NULL);
    krb5_openlog (context, "ipropd-slave", &log_facility);
--- a/lib/kadm5/log.c
+++ b/lib/kadm5/log.c
@@ -1015,9 +1015,13 @@ static HEIMDAL_MUTEX signal_mutex = HEIMDAL_MUTEX_INITIALIZER;
 const char *
 kadm5_log_signal_socket(krb5_context context)
 {
+    int ret = 0;
+
    HEIMDAL_MUTEX_lock(&signal_mutex);
    if (!default_signal)
-	asprintf(&default_signal, "%s/signal", hdb_db_dir(context));
+	ret = asprintf(&default_signal, "%s/signal", hdb_db_dir(context));
+    if (ret == -1)
+	default_signal = NULL;
    HEIMDAL_MUTEX_unlock(&signal_mutex);

    return krb5_config_get_string_default(context,
--- a/lib/kadm5/test_pw_quality.c
+++ b/lib/kadm5/test_pw_quality.c
@@ -42,10 +42,10 @@ static char *principal;
 static char *password;

 static struct getargs args[] = {
-    { "principal", 0, arg_string, &principal },
-    { "password", 0, arg_string, &password },
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "principal", 0, arg_string, &principal, NULL, NULL },
+    { "password", 0, arg_string, &password, NULL, NULL },
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);

--- a/lib/kafs/common.c
+++ b/lib/kafs/common.c
@@ -349,13 +349,19 @@ _kafs_try_get_cred(struct kafs_data *data, const char *user, const char *cell,
    if (kafs_verbose) {
 	const char *estr = (*data->get_error)(data, ret);
 	char *str;
-	asprintf(&str, "%s tried afs%s%s@%s -> %s (%d)",
-		 data->name, cell ? "/" : "",
-		 cell ? cell : "", realm, estr ? estr : "unknown", ret);
-	(*kafs_verbose)(kafs_verbose_ctx, str);
+	int aret;
+
+	aret = asprintf(&str, "%s tried afs%s%s@%s -> %s (%d)",
+			data->name, cell ? "/" : "",
+			cell ? cell : "", realm, estr ? estr : "unknown", ret);
+	if (aret != -1) {
+	    (*kafs_verbose)(kafs_verbose_ctx, str);
+	    free(str);
+	} else {
+	    (*kafs_verbose)(kafs_verbose_ctx, "out of memory");
+	}
 	if (estr)
 	    (*data->free_error)(data, estr);
-	free(str);
    }

    return ret;
--- a/lib/krb5/addr_families.c
+++ b/lib/krb5/addr_families.c
@@ -799,6 +799,7 @@ static struct addr_operations at[] = {
 	NULL,
 	NULL,
 	NULL,
+	NULL,
 	NULL
    }
 };
--- a/lib/krb5/config_file.c
+++ b/lib/krb5/config_file.c
@@ -444,8 +444,10 @@ krb5_config_parse_file_multi (krb5_context context,
 		home = pw->pw_dir;
 	}
 	if (home) {
-	    asprintf(&newfname, "%s%s", home, &fname[1]);
-	    if (newfname == NULL) {
+	    int aret;
+
+	    aret = asprintf(&newfname, "%s%s", home, &fname[1]);
+	    if (aret == -1 || newfname == NULL) {
 		krb5_set_error_message(context, ENOMEM,
 				       N_("malloc: out of memory", ""));
 		return ENOMEM;
--- a/lib/krb5/crypto-null.c
+++ b/lib/krb5/crypto-null.c
@@ -45,6 +45,9 @@ static struct _krb5_key_type keytype_null = {
    0,
    NULL,
    NULL,
+    NULL,
+    NULL,
+    NULL,
    NULL
 };

--- a/lib/krb5/derived-key-test.c
+++ b/lib/krb5/derived-key-test.c
@@ -72,7 +72,7 @@ static struct testcase {
    {ETYPE_DES3_CBC_SHA1, {0x00, 0x00, 0x00, 0x01, 0xaa}, 5,
     {0x26, 0xdc, 0xe3, 0x34, 0xb5, 0x45, 0x29, 0x2f, 0x2f, 0xea, 0xb9, 0xa8, 0x70, 0x1a, 0x89, 0xa4, 0xb9, 0x9e, 0xb9, 0x94, 0x2c, 0xec, 0xd0, 0x16},
     {0xf4, 0x8f, 0xfd, 0x6e, 0x83, 0xf8, 0x3e, 0x73, 0x54, 0xe6, 0x94, 0xfd, 0x25, 0x2c, 0xf8, 0x3b, 0xfe, 0x58, 0xf7, 0xd5, 0xba, 0x37, 0xec, 0x5d}},
-    {0}
+    {0, {0}, 0, {0}, {0}}
 };

 int
--- a/lib/krb5/init_creds_pw.c
+++ b/lib/krb5/init_creds_pw.c
@@ -2473,10 +2473,19 @@ krb5_get_init_creds_password(krb5_context context,
 	krb5_prompt prompt;
 	krb5_data password_data;
 	char *p, *q;
+	int aret = -1;

-	krb5_unparse_name (context, client, &p);
-	asprintf (&q, "%s's Password: ", p);
-	free (p);
+	ret = krb5_unparse_name (context, client, &p);
+	if (!ret) {
+	    aret = asprintf (&q, "%s's Password: ", p);
+	    free (p);
+	}
+	if (!ret || aret == -1 || !q) {
+	    if (!ret)
+		ret = ENOMEM;
+	    krb5_clear_error_message (context);
+	    goto out;
+	}
 	prompt.prompt = q;
 	password_data.data   = buf;
 	password_data.length = sizeof(buf);
--- a/lib/krb5/kcm.c
+++ b/lib/krb5/kcm.c
@@ -963,6 +963,7 @@ kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
    krb5_storage *request, *response;
    krb5_data response_data;
    char *name;
+    int aret;

    *str = NULL;

@@ -981,9 +982,9 @@ kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
    if (ret)
 	return ret;

-    asprintf(str, "%s:%s", ops->prefix, name);
+    aret = asprintf(str, "%s:%s", ops->prefix, name);
    free(name);
-    if (str == NULL)
+    if (aret == -1 || str == NULL)
 	return ENOMEM;

    return 0;
--- a/lib/krb5/keytab_any.c
+++ b/lib/krb5/keytab_any.c
@@ -257,5 +257,7 @@ const krb5_kt_ops krb5_any_ops = {
    any_next_entry,
    any_end_seq_get,
    any_add_entry,
-    any_remove_entry
+    any_remove_entry,
+    NULL,
+    0
 };
--- a/lib/krb5/keytab_file.c
+++ b/lib/krb5/keytab_file.c
@@ -776,7 +776,9 @@ const krb5_kt_ops krb5_fkt_ops = {
    fkt_next_entry,
    fkt_end_seq_get,
    fkt_add_entry,
-    fkt_remove_entry
+    fkt_remove_entry,
+    NULL,
+    0
 };

 const krb5_kt_ops krb5_wrfkt_ops = {
@@ -790,7 +792,9 @@ const krb5_kt_ops krb5_wrfkt_ops = {
    fkt_next_entry,
    fkt_end_seq_get,
    fkt_add_entry,
-    fkt_remove_entry
+    fkt_remove_entry,
+    NULL,
+    0
 };

 const krb5_kt_ops krb5_javakt_ops = {
@@ -804,5 +808,7 @@ const krb5_kt_ops krb5_javakt_ops = {
    fkt_next_entry,
    fkt_end_seq_get,
    fkt_add_entry,
-    fkt_remove_entry
+    fkt_remove_entry,
+    NULL,
+    0
 };
--- a/lib/krb5/keytab_keyfile.c
+++ b/lib/krb5/keytab_keyfile.c
@@ -462,7 +462,9 @@ const krb5_kt_ops krb5_akf_ops = {
    akf_next_entry,
    akf_end_seq_get,
    akf_add_entry,
-    NULL /* remove */
+    NULL, /* remove */
+    NULL,
+    0
 };

 #endif /* HEIMDAL_SMALLER */
--- a/lib/krb5/keytab_memory.c
+++ b/lib/krb5/keytab_memory.c
@@ -232,5 +232,7 @@ const krb5_kt_ops krb5_mkt_ops = {
    mkt_next_entry,
    mkt_end_seq_get,
    mkt_add_entry,
-    mkt_remove_entry
+    mkt_remove_entry,
+    NULL,
+    0
 };
--- a/lib/krb5/n-fold-test.c
+++ b/lib/krb5/n-fold-test.c
@@ -87,7 +87,7 @@ static struct testcase {
      0x08, 0xa5, 0x08, 0x41, 0x22, 0x9a, 0xd7, 0x98, 0xfa, 0xb9, 0x54,
      0x0c, 0x1b}
    },
-    {NULL, 0}
+    {NULL, 0, {0}}
 };

 int
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -183,10 +183,10 @@ find_cert(krb5_context context, struct krb5_pk_identity *id,
 	  hx509_query *q, hx509_cert *cert)
 {
    struct certfind cf[4] = {
-	{ "MobileMe EKU" },
-	{ "PKINIT EKU" },
-	{ "MS EKU" },
-	{ "any (or no)" }
+	{ "MobileMe EKU", NULL },
+	{ "PKINIT EKU", NULL },
+	{ "MS EKU", NULL },
+	{ "any (or no)", NULL }
    };
    int ret = HX509_CERT_NOT_FOUND;
    size_t i, start = 1;
--- a/lib/krb5/replay.c
+++ b/lib/krb5/replay.c
@@ -205,6 +205,7 @@ krb5_rc_store(krb5_context context,
    time_t t;
    FILE *f;
    int ret;
+    size_t count;

    ent.stamp = time(NULL);
    checksum_authenticator(rep, ent.data);
@@ -217,7 +218,9 @@ krb5_rc_store(krb5_context context,
 	return ret;
    }
    rk_cloexec_file(f);
-    fread(&tmp, sizeof(ent), 1, f);
+    count = fread(&tmp, sizeof(ent), 1, f);
+    if(count != 1)
+	return KRB5_RC_IO_UNKNOWN;
    t = ent.stamp - tmp.stamp;
    while(fread(&tmp, sizeof(ent), 1, f)){
 	if(tmp.stamp < t)
--- a/lib/krb5/salt-aes.c
+++ b/lib/krb5/salt-aes.c
@@ -99,5 +99,5 @@ struct salt_type _krb5_AES_salt[] = {
 	"pw-salt",
 	AES_string_to_key
    },
-    { 0 }
+    { 0, NULL, NULL }
 };
--- a/lib/krb5/salt-arcfour.c
+++ b/lib/krb5/salt-arcfour.c
@@ -108,5 +108,5 @@ struct salt_type _krb5_arcfour_salt[] = {
 	"pw-salt",
 	ARCFOUR_string_to_key
    },
-    { 0 }
+    { 0, NULL, NULL }
 };
--- a/lib/krb5/salt-des.c
+++ b/lib/krb5/salt-des.c
@@ -219,6 +219,6 @@ struct salt_type _krb5_des_salt[] = {
 	DES_AFS3_string_to_key
    },
 #endif
-    { 0 }
+    { 0, NULL, NULL }
 };
 #endif
--- a/lib/krb5/salt-des3.c
+++ b/lib/krb5/salt-des3.c
@@ -136,7 +136,7 @@ struct salt_type _krb5_des3_salt[] = {
 	"pw-salt",
 	DES3_string_to_key
    },
-    { 0 }
+    { 0, NULL, NULL }
 };
 #endif

@@ -146,5 +146,5 @@ struct salt_type _krb5_des3_salt_derived[] = {
 	"pw-salt",
 	DES3_string_to_key_derived
    },
-    { 0 }
+    { 0, NULL, NULL }
 };
--- a/lib/krb5/scache.c
+++ b/lib/krb5/scache.c
@@ -1445,7 +1445,10 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_scc_ops = {
    scc_end_cache_get,
    scc_move,
    scc_get_default_name,
-    scc_set_default
+    scc_set_default,
+    NULL,
+    NULL,
+    NULL
 };

 #endif
--- a/lib/krb5/string-to-key-test.c
+++ b/lib/krb5/string-to-key-test.c
@@ -86,7 +86,7 @@ static struct testcase {
     {0x6d, 0x2f, 0xcd, 0xf2, 0xd6, 0xfb, 0xbc, 0x3d, 0xdc, 0xad, 0xb5, 0xda, 0x57, 0x10, 0xa2, 0x34, 0x89, 0xb0, 0xd3, 0xb6, 0x9d, 0x5d, 0x9d, 0x4a}},
    {"Juri\xc5\xa1i\xc4\x87@ATHENA.MIT.EDU", "\xc3\x9f", ETYPE_DES3_CBC_SHA1,
     {0x16, 0xd5, 0xa4, 0x0e, 0x1c, 0xe3, 0xba, 0xcb, 0x61, 0xb9, 0xdc, 0xe0, 0x04, 0x70, 0x32, 0x4c, 0x83, 0x19, 0x73, 0xa7, 0xb9, 0x52, 0xfe, 0xb0}},
-    {NULL}
+    {NULL, NULL, 0, {0}}
 };

 int
--- a/lib/krb5/test_cc.c
+++ b/lib/krb5/test_cc.c
@@ -293,31 +293,31 @@ struct {
 } cc_names[] = {
    { "foo", 0, "foo" },
    { "foo%}", 0, "foo%}" },
-    { "%{uid}", 0 },
+    { "%{uid}", 0, NULL },
    { "foo%{null}", 0, "foo" },
    { "foo%{null}bar", 0, "foobar" },
-    { "%{", 1 },
-    { "%{foo %{", 1 },
-    { "%{{", 1 },
-    { "%{{}", 1 },
-    { "%{nulll}", 1 },
-    { "%{does not exist}", 1 },
-    { "%{}", 1 },
+    { "%{", 1, NULL },
+    { "%{foo %{", 1, NULL },
+    { "%{{", 1, NULL },
+    { "%{{}", 1, NULL },
+    { "%{nulll}", 1, NULL },
+    { "%{does not exist}", 1, NULL },
+    { "%{}", 1, NULL },
 #ifdef KRB5_USE_PATH_TOKENS
-    { "%{APPDATA}", 0 },
-    { "%{COMMON_APPDATA}", 0},
-    { "%{LOCAL_APPDATA}", 0},
-    { "%{SYSTEM}", 0},
-    { "%{WINDOWS}", 0},
-    { "%{TEMP}", 0},
-    { "%{USERID}", 0},
-    { "%{uid}", 0},
-    { "%{USERCONFIG}", 0},
-    { "%{COMMONCONFIG}", 0},
-    { "%{LIBDIR}", 0},
-    { "%{BINDIR}", 0},
-    { "%{LIBEXEC}", 0},
-    { "%{SBINDIR}", 0},
+    { "%{APPDATA}", 0, NULL },
+    { "%{COMMON_APPDATA}", 0, NULL},
+    { "%{LOCAL_APPDATA}", 0, NULL},
+    { "%{SYSTEM}", 0, NULL},
+    { "%{WINDOWS}", 0, NULL},
+    { "%{TEMP}", 0, NULL},
+    { "%{USERID}", 0, NULL},
+    { "%{uid}", 0, NULL},
+    { "%{USERCONFIG}", 0, NULL},
+    { "%{COMMONCONFIG}", 0, NULL},
+    { "%{LIBDIR}", 0, NULL},
+    { "%{BINDIR}", 0, NULL},
+    { "%{LIBEXEC}", 0, NULL},
+    { "%{SBINDIR}", 0, NULL},
 #endif
 };

--- a/lib/krb5/verify_krb5_conf.c
+++ b/lib/krb5/verify_krb5_conf.c
@@ -353,227 +353,227 @@ struct entry {
 };

 struct entry all_strings[] = {
-    { "", krb5_config_string, NULL },
-    { NULL }
+    { "", krb5_config_string, NULL, 0 },
+    { NULL, 0, NULL, 0 }
 };

 struct entry all_boolean[] = {
-    { "", krb5_config_string, check_boolean },
-    { NULL }
+    { "", krb5_config_string, check_boolean, 0 },
+    { NULL, 0, NULL, 0 }
 };


 struct entry v4_name_convert_entries[] = {
-    { "host", krb5_config_list, all_strings },
-    { "plain", krb5_config_list, all_strings },
-    { NULL }
+    { "host", krb5_config_list, all_strings, 0 },
+    { "plain", krb5_config_list, all_strings, 0 },
+    { NULL, 0, NULL, 0 }
 };

 struct entry libdefaults_entries[] = {
-    { "accept_null_addresses", krb5_config_string, check_boolean },
-    { "allow_weak_crypto", krb5_config_string, check_boolean },
+    { "accept_null_addresses", krb5_config_string, check_boolean, 0 },
+    { "allow_weak_crypto", krb5_config_string, check_boolean, 0 },
    { "capath", krb5_config_list, all_strings, 1 },
-    { "check_pac", krb5_config_string, check_boolean },
-    { "clockskew", krb5_config_string, check_time },
-    { "date_format", krb5_config_string, NULL },
-    { "default_cc_name", krb5_config_string, NULL },
-    { "default_etypes", krb5_config_string, NULL },
-    { "default_etypes_des", krb5_config_string, NULL },
-    { "default_keytab_modify_name", krb5_config_string, NULL },
-    { "default_keytab_name", krb5_config_string, NULL },
-    { "default_realm", krb5_config_string, NULL },
-    { "dns_canonize_hostname", krb5_config_string, check_boolean },
-    { "dns_proxy", krb5_config_string, NULL },
-    { "dns_lookup_kdc", krb5_config_string, check_boolean },
-    { "dns_lookup_realm", krb5_config_string, check_boolean },
-    { "dns_lookup_realm_labels", krb5_config_string, NULL },
-    { "egd_socket", krb5_config_string, NULL },
-    { "encrypt", krb5_config_string, check_boolean },
-    { "extra_addresses", krb5_config_string, NULL },
-    { "fcache_version", krb5_config_string, check_numeric },
-    { "fcc-mit-ticketflags", krb5_config_string, check_boolean },
-    { "forward", krb5_config_string, check_boolean },
-    { "forwardable", krb5_config_string, check_boolean },
-    { "http_proxy", krb5_config_string, check_host /* XXX */ },
-    { "ignore_addresses", krb5_config_string, NULL },
-    { "kdc_timeout", krb5_config_string, check_time },
-    { "kdc_timesync", krb5_config_string, check_boolean },
-    { "log_utc", krb5_config_string, check_boolean },
-    { "maxretries", krb5_config_string, check_numeric },
-    { "scan_interfaces", krb5_config_string, check_boolean },
-    { "srv_lookup", krb5_config_string, check_boolean },
-    { "srv_try_txt", krb5_config_string, check_boolean },
-    { "ticket_lifetime", krb5_config_string, check_time },
-    { "time_format", krb5_config_string, NULL },
-    { "transited_realms_reject", krb5_config_string, NULL },
-    { "no-addresses", krb5_config_string, check_boolean },
-    { "v4_instance_resolve", krb5_config_string, check_boolean },
-    { "v4_name_convert", krb5_config_list, v4_name_convert_entries },
-    { "verify_ap_req_nofail", krb5_config_string, check_boolean },
-    { "max_retries", krb5_config_string, check_time },
-    { "renew_lifetime", krb5_config_string, check_time },
-    { "proxiable", krb5_config_string, check_boolean },
-    { "warn_pwexpire", krb5_config_string, check_time },
+    { "check_pac", krb5_config_string, check_boolean, 0 },
+    { "clockskew", krb5_config_string, check_time, 0 },
+    { "date_format", krb5_config_string, NULL, 0 },
+    { "default_cc_name", krb5_config_string, NULL, 0 },
+    { "default_etypes", krb5_config_string, NULL, 0 },
+    { "default_etypes_des", krb5_config_string, NULL, 0 },
+    { "default_keytab_modify_name", krb5_config_string, NULL, 0 },
+    { "default_keytab_name", krb5_config_string, NULL, 0 },
+    { "default_realm", krb5_config_string, NULL, 0 },
+    { "dns_canonize_hostname", krb5_config_string, check_boolean, 0 },
+    { "dns_proxy", krb5_config_string, NULL, 0 },
+    { "dns_lookup_kdc", krb5_config_string, check_boolean, 0 },
+    { "dns_lookup_realm", krb5_config_string, check_boolean, 0 },
+    { "dns_lookup_realm_labels", krb5_config_string, NULL, 0 },
+    { "egd_socket", krb5_config_string, NULL, 0 },
+    { "encrypt", krb5_config_string, check_boolean, 0 },
+    { "extra_addresses", krb5_config_string, NULL, 0 },
+    { "fcache_version", krb5_config_string, check_numeric, 0 },
+    { "fcc-mit-ticketflags", krb5_config_string, check_boolean, 0 },
+    { "forward", krb5_config_string, check_boolean, 0 },
+    { "forwardable", krb5_config_string, check_boolean, 0 },
+    { "http_proxy", krb5_config_string, check_host /* XXX */, 0 },
+    { "ignore_addresses", krb5_config_string, NULL, 0 },
+    { "kdc_timeout", krb5_config_string, check_time, 0 },
+    { "kdc_timesync", krb5_config_string, check_boolean, 0 },
+    { "log_utc", krb5_config_string, check_boolean, 0 },
+    { "maxretries", krb5_config_string, check_numeric, 0 },
+    { "scan_interfaces", krb5_config_string, check_boolean, 0 },
+    { "srv_lookup", krb5_config_string, check_boolean, 0 },
+    { "srv_try_txt", krb5_config_string, check_boolean, 0 },
+    { "ticket_lifetime", krb5_config_string, check_time, 0 },
+    { "time_format", krb5_config_string, NULL, 0 },
+    { "transited_realms_reject", krb5_config_string, NULL, 0 },
+    { "no-addresses", krb5_config_string, check_boolean, 0 },
+    { "v4_instance_resolve", krb5_config_string, check_boolean, 0 },
+    { "v4_name_convert", krb5_config_list, v4_name_convert_entries, 0 },
+    { "verify_ap_req_nofail", krb5_config_string, check_boolean, 0 },
+    { "max_retries", krb5_config_string, check_time, 0 },
+    { "renew_lifetime", krb5_config_string, check_time, 0 },
+    { "proxiable", krb5_config_string, check_boolean, 0 },
+    { "warn_pwexpire", krb5_config_string, check_time, 0 },
    /* MIT stuff */
-    { "permitted_enctypes", krb5_config_string, mit_entry },
-    { "default_tgs_enctypes", krb5_config_string, mit_entry },
-    { "default_tkt_enctypes", krb5_config_string, mit_entry },
-    { NULL }
+    { "permitted_enctypes", krb5_config_string, mit_entry, 0 },
+    { "default_tgs_enctypes", krb5_config_string, mit_entry, 0 },
+    { "default_tkt_enctypes", krb5_config_string, mit_entry, 0 },
+    { NULL, 0, NULL, 0 }
 };

 struct entry appdefaults_entries[] = {
-    { "afslog", krb5_config_string, check_boolean },
-    { "afs-use-524", krb5_config_string, check_524 },
-    { "encrypt", krb5_config_string, check_boolean },
-    { "forward", krb5_config_string, check_boolean },
-    { "forwardable", krb5_config_string, check_boolean },
-    { "proxiable", krb5_config_string, check_boolean },
-    { "ticket_lifetime", krb5_config_string, check_time },
-    { "renew_lifetime", krb5_config_string, check_time },
-    { "no-addresses", krb5_config_string, check_boolean },
-    { "krb4_get_tickets", krb5_config_string, check_boolean },
-    { "pkinit_anchors", krb5_config_string, NULL },
-    { "pkinit_win2k", krb5_config_string, NULL },
-    { "pkinit_win2k_require_binding", krb5_config_string, NULL },
-    { "pkinit_require_eku", krb5_config_string, NULL },
-    { "pkinit_require_krbtgt_otherName", krb5_config_string, NULL },
-    { "pkinit_require_hostname_match", krb5_config_string, NULL },
+    { "afslog", krb5_config_string, check_boolean, 0 },
+    { "afs-use-524", krb5_config_string, check_524, 0 },
+    { "encrypt", krb5_config_string, check_boolean, 0 },
+    { "forward", krb5_config_string, check_boolean, 0 },
+    { "forwardable", krb5_config_string, check_boolean, 0 },
+    { "proxiable", krb5_config_string, check_boolean, 0 },
+    { "ticket_lifetime", krb5_config_string, check_time, 0 },
+    { "renew_lifetime", krb5_config_string, check_time, 0 },
+    { "no-addresses", krb5_config_string, check_boolean, 0 },
+    { "krb4_get_tickets", krb5_config_string, check_boolean, 0 },
+    { "pkinit_anchors", krb5_config_string, NULL, 0 },
+    { "pkinit_win2k", krb5_config_string, NULL, 0 },
+    { "pkinit_win2k_require_binding", krb5_config_string, NULL, 0 },
+    { "pkinit_require_eku", krb5_config_string, NULL, 0 },
+    { "pkinit_require_krbtgt_otherName", krb5_config_string, NULL, 0 },
+    { "pkinit_require_hostname_match", krb5_config_string, NULL, 0 },
 #if 0
-    { "anonymous", krb5_config_string, check_boolean },
+    { "anonymous", krb5_config_string, check_boolean, 0 },
 #endif
-    { "", krb5_config_list, appdefaults_entries },
-    { NULL }
+    { "", krb5_config_list, appdefaults_entries, 0 },
+    { NULL, 0, NULL, 0 }
 };

 struct entry realms_entries[] = {
-    { "forwardable", krb5_config_string, check_boolean },
-    { "proxiable", krb5_config_string, check_boolean },
-    { "ticket_lifetime", krb5_config_string, check_time },
-    { "renew_lifetime", krb5_config_string, check_time },
-    { "warn_pwexpire", krb5_config_string, check_time },
-    { "kdc", krb5_config_string, check_host },
-    { "admin_server", krb5_config_string, check_host },
-    { "kpasswd_server", krb5_config_string, check_host },
-    { "krb524_server", krb5_config_string, check_host },
-    { "v4_name_convert", krb5_config_list, v4_name_convert_entries },
-    { "v4_instance_convert", krb5_config_list, all_strings },
-    { "v4_domains", krb5_config_string, NULL },
-    { "default_domain", krb5_config_string, NULL },
-    { "win2k_pkinit", krb5_config_string, NULL },
+    { "forwardable", krb5_config_string, check_boolean, 0 },
+    { "proxiable", krb5_config_string, check_boolean, 0 },
+    { "ticket_lifetime", krb5_config_string, check_time, 0 },
+    { "renew_lifetime", krb5_config_string, check_time, 0 },
+    { "warn_pwexpire", krb5_config_string, check_time, 0 },
+    { "kdc", krb5_config_string, check_host, 0 },
+    { "admin_server", krb5_config_string, check_host, 0 },
+    { "kpasswd_server", krb5_config_string, check_host, 0 },
+    { "krb524_server", krb5_config_string, check_host, 0 },
+    { "v4_name_convert", krb5_config_list, v4_name_convert_entries, 0 },
+    { "v4_instance_convert", krb5_config_list, all_strings, 0 },
+    { "v4_domains", krb5_config_string, NULL, 0 },
+    { "default_domain", krb5_config_string, NULL, 0 },
+    { "win2k_pkinit", krb5_config_string, NULL, 0 },
    /* MIT stuff */
-    { "admin_keytab", krb5_config_string, mit_entry },
-    { "acl_file", krb5_config_string, mit_entry },
-    { "dict_file", krb5_config_string, mit_entry },
-    { "kadmind_port", krb5_config_string, mit_entry },
-    { "kpasswd_port", krb5_config_string, mit_entry },
-    { "master_key_name", krb5_config_string, mit_entry },
-    { "master_key_type", krb5_config_string, mit_entry },
-    { "key_stash_file", krb5_config_string, mit_entry },
-    { "max_life", krb5_config_string, mit_entry },
-    { "max_renewable_life", krb5_config_string, mit_entry },
-    { "default_principal_expiration", krb5_config_string, mit_entry },
-    { "default_principal_flags", krb5_config_string, mit_entry },
-    { "supported_enctypes", krb5_config_string, mit_entry },
-    { "database_name", krb5_config_string, mit_entry },
-    { NULL }
+    { "admin_keytab", krb5_config_string, mit_entry, 0 },
+    { "acl_file", krb5_config_string, mit_entry, 0 },
+    { "dict_file", krb5_config_string, mit_entry, 0 },
+    { "kadmind_port", krb5_config_string, mit_entry, 0 },
+    { "kpasswd_port", krb5_config_string, mit_entry, 0 },
+    { "master_key_name", krb5_config_string, mit_entry, 0 },
+    { "master_key_type", krb5_config_string, mit_entry, 0 },
+    { "key_stash_file", krb5_config_string, mit_entry, 0 },
+    { "max_life", krb5_config_string, mit_entry, 0 },
+    { "max_renewable_life", krb5_config_string, mit_entry, 0 },
+    { "default_principal_expiration", krb5_config_string, mit_entry, 0 },
+    { "default_principal_flags", krb5_config_string, mit_entry, 0 },
+    { "supported_enctypes", krb5_config_string, mit_entry, 0 },
+    { "database_name", krb5_config_string, mit_entry, 0 },
+    { NULL, 0, NULL, 0 }
 };

 struct entry realms_foobar[] = {
-    { "", krb5_config_list, realms_entries },
-    { NULL }
+    { "", krb5_config_list, realms_entries, 0 },
+    { NULL, 0, NULL, 0 }
 };


 struct entry kdc_database_entries[] = {
-    { "realm", krb5_config_string, NULL },
-    { "dbname", krb5_config_string, NULL },
-    { "mkey_file", krb5_config_string, NULL },
-    { "acl_file", krb5_config_string, NULL },
-    { "log_file", krb5_config_string, NULL },
-    { NULL }
+    { "realm", krb5_config_string, NULL, 0 },
+    { "dbname", krb5_config_string, NULL, 0 },
+    { "mkey_file", krb5_config_string, NULL, 0 },
+    { "acl_file", krb5_config_string, NULL, 0 },
+    { "log_file", krb5_config_string, NULL, 0 },
+    { NULL, 0, NULL, 0 }
 };

 struct entry kdc_entries[] = {
-    { "database", krb5_config_list, kdc_database_entries },
-    { "key-file", krb5_config_string, NULL },
-    { "logging", krb5_config_string, check_log },
-    { "max-request", krb5_config_string, check_bytes },
-    { "require-preauth", krb5_config_string, check_boolean },
-    { "ports", krb5_config_string, NULL },
-    { "addresses", krb5_config_string, NULL },
-    { "enable-kerberos4", krb5_config_string, check_boolean },
-    { "enable-524", krb5_config_string, check_boolean },
-    { "enable-http", krb5_config_string, check_boolean },
-    { "check-ticket-addresses", krb5_config_string, check_boolean },
-    { "allow-null-ticket-addresses", krb5_config_string, check_boolean },
-    { "allow-anonymous", krb5_config_string, check_boolean },
-    { "v4_realm", krb5_config_string, NULL },
+    { "database", krb5_config_list, kdc_database_entries, 0 },
+    { "key-file", krb5_config_string, NULL, 0 },
+    { "logging", krb5_config_string, check_log, 0 },
+    { "max-request", krb5_config_string, check_bytes, 0 },
+    { "require-preauth", krb5_config_string, check_boolean, 0 },
+    { "ports", krb5_config_string, NULL, 0 },
+    { "addresses", krb5_config_string, NULL, 0 },
+    { "enable-kerberos4", krb5_config_string, check_boolean, 0 },
+    { "enable-524", krb5_config_string, check_boolean, 0 },
+    { "enable-http", krb5_config_string, check_boolean, 0 },
+    { "check-ticket-addresses", krb5_config_string, check_boolean, 0 },
+    { "allow-null-ticket-addresses", krb5_config_string, check_boolean, 0 },
+    { "allow-anonymous", krb5_config_string, check_boolean, 0 },
+    { "v4_realm", krb5_config_string, NULL, 0 },
    { "enable-kaserver", krb5_config_string, check_boolean, 1 },
-    { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean },
-    { "kdc_warn_pwexpire", krb5_config_string, check_time },
-    { "use_2b", krb5_config_list, NULL },
-    { "enable-pkinit", krb5_config_string, check_boolean },
-    { "pkinit_identity", krb5_config_string, NULL },
-    { "pkinit_anchors", krb5_config_string, NULL },
-    { "pkinit_pool", krb5_config_string, NULL },
-    { "pkinit_revoke", krb5_config_string, NULL },
-    { "pkinit_kdc_ocsp", krb5_config_string, NULL },
-    { "pkinit_principal_in_certificate", krb5_config_string, NULL },
-    { "pkinit_dh_min_bits", krb5_config_string, NULL },
-    { "pkinit_allow_proxy_certificate", krb5_config_string, NULL },
-    { "hdb-ldap-create-base", krb5_config_string, NULL },
-    { "v4-realm", krb5_config_string, NULL },
-    { NULL }
+    { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean, 0 },
+    { "kdc_warn_pwexpire", krb5_config_string, check_time, 0 },
+    { "use_2b", krb5_config_list, NULL, 0 },
+    { "enable-pkinit", krb5_config_string, check_boolean, 0 },
+    { "pkinit_identity", krb5_config_string, NULL, 0 },
+    { "pkinit_anchors", krb5_config_string, NULL, 0 },
+    { "pkinit_pool", krb5_config_string, NULL, 0 },
+    { "pkinit_revoke", krb5_config_string, NULL, 0 },
+    { "pkinit_kdc_ocsp", krb5_config_string, NULL, 0 },
+    { "pkinit_principal_in_certificate", krb5_config_string, NULL, 0 },
+    { "pkinit_dh_min_bits", krb5_config_string, NULL, 0 },
+    { "pkinit_allow_proxy_certificate", krb5_config_string, NULL, 0 },
+    { "hdb-ldap-create-base", krb5_config_string, NULL, 0 },
+    { "v4-realm", krb5_config_string, NULL, 0 },
+    { NULL, 0, NULL, 0 }
 };

 struct entry kadmin_entries[] = {
-    { "password_lifetime", krb5_config_string, check_time },
-    { "default_keys", krb5_config_string, NULL },
-    { "use_v4_salt", krb5_config_string, NULL },
-    { "require-preauth", krb5_config_string, check_boolean },
-    { NULL }
+    { "password_lifetime", krb5_config_string, check_time, 0 },
+    { "default_keys", krb5_config_string, NULL, 0 },
+    { "use_v4_salt", krb5_config_string, NULL, 0 },
+    { "require-preauth", krb5_config_string, check_boolean, 0 },
+    { NULL, 0, NULL, 0 }
 };
 struct entry log_strings[] = {
-    { "", krb5_config_string, check_log },
-    { NULL }
+    { "", krb5_config_string, check_log, 0 },
+    { NULL, 0, NULL, 0 }
 };


 /* MIT stuff */
 struct entry kdcdefaults_entries[] = {
-    { "kdc_ports", krb5_config_string, mit_entry },
-    { "v4_mode", krb5_config_string, mit_entry },
-    { NULL }
+    { "kdc_ports", krb5_config_string, mit_entry, 0 },
+    { "v4_mode", krb5_config_string, mit_entry, 0 },
+    { NULL, 0, NULL, 0 }
 };

 struct entry capaths_entries[] = {
-    { "", krb5_config_list, all_strings },
-    { NULL }
+    { "", krb5_config_list, all_strings, 0 },
+    { NULL, 0, NULL, 0 }
 };

 struct entry password_quality_entries[] = {
-    { "policies", krb5_config_string, NULL },
-    { "external_program", krb5_config_string, NULL },
-    { "min_classes", krb5_config_string, check_numeric },
-    { "min_length", krb5_config_string, check_numeric },
-    { "", krb5_config_list, all_strings },
-    { NULL }
+    { "policies", krb5_config_string, NULL, 0 },
+    { "external_program", krb5_config_string, NULL, 0 },
+    { "min_classes", krb5_config_string, check_numeric, 0 },
+    { "min_length", krb5_config_string, check_numeric, 0 },
+    { "", krb5_config_list, all_strings, 0 },
+    { NULL, 0, NULL, 0 }
 };

 struct entry toplevel_sections[] = {
-    { "libdefaults" , krb5_config_list, libdefaults_entries },
-    { "realms", krb5_config_list, realms_foobar },
-    { "domain_realm", krb5_config_list, all_strings },
-    { "logging", krb5_config_list, log_strings },
-    { "kdc", krb5_config_list, kdc_entries },
-    { "kadmin", krb5_config_list, kadmin_entries },
-    { "appdefaults", krb5_config_list, appdefaults_entries },
-    { "gssapi", krb5_config_list, NULL },
-    { "capaths", krb5_config_list, capaths_entries },
-    { "password_quality", krb5_config_list, password_quality_entries },
+    { "libdefaults" , krb5_config_list, libdefaults_entries, 0 },
+    { "realms", krb5_config_list, realms_foobar, 0 },
+    { "domain_realm", krb5_config_list, all_strings, 0 },
+    { "logging", krb5_config_list, log_strings, 0 },
+    { "kdc", krb5_config_list, kdc_entries, 0 },
+    { "kadmin", krb5_config_list, kadmin_entries, 0 },
+    { "appdefaults", krb5_config_list, appdefaults_entries, 0 },
+    { "gssapi", krb5_config_list, NULL, 0 },
+    { "capaths", krb5_config_list, capaths_entries, 0 },
+    { "password_quality", krb5_config_list, password_quality_entries, 0 },
    /* MIT stuff */
-    { "kdcdefaults", krb5_config_list, kdcdefaults_entries },
-    { NULL }
+    { "kdcdefaults", krb5_config_list, kdcdefaults_entries, 0 },
+    { NULL, 0, NULL, 0 }
 };


--- a/lib/otp/otptest.c
+++ b/lib/otp/otptest.c
@@ -107,7 +107,7 @@ test (void)
    {"sha", "OTP's are good", "correct", 0, "d51f3e99bf8e6f0b", "RUST WELT KICK FELL TAIL FRAU"},
    {"sha", "OTP's are good", "correct", 1, "82aeb52d943774e4", "FLIT DOSE ALSO MEW DRUM DEFY"},
    {"sha", "OTP's are good", "correct", 99, "4f296a74fe1567ec", "AURA ALOE HURL WING BERG WAIT"},
-    {NULL}
+    {NULL, NULL, NULL, 0, NULL, NULL}
  };

  struct test *t;
--- a/lib/roken/base64-test.c
+++ b/lib/roken/base64-test.c
@@ -53,7 +53,7 @@ main(int argc, char **argv)
 	{ "4444", 4, "NDQ0NA==" },
 	{ "55555", 5, "NTU1NTU=" },
 	{ "abc:def", 7, "YWJjOmRlZg==" },
-	{ NULL }
+	{ NULL, 0, NULL }
    };
    for(t = tests; t->data; t++) {
 	char *str;
--- a/lib/roken/hex-test.c
+++ b/lib/roken/hex-test.c
@@ -55,7 +55,7 @@ main(int argc, char **argv)
 	{ "abcdef", 6, "616263646566" },
 	{ "abcdefg", 7, "61626364656667" },
 	{ "=", 1, "3D" },
-	{ NULL }
+	{ NULL, 0, NULL }
    };
    for(t = tests; t->data; t++) {
 	char *str;
--- a/lib/roken/rkpty.c
+++ b/lib/roken/rkpty.c
@@ -305,9 +305,9 @@ eval_parent(pid_t pid)

 static struct getargs args[] = {
    { "timeout", 	't', arg_integer, &timeout, "timout", "seconds" },
-    { "verbose", 	'v', arg_counter, &verbose, "verbose debugging" },
-    { "version",	0, arg_flag,	&version_flag, "print version" },
-    { "help",		0, arg_flag,	&help_flag, NULL }
+    { "verbose", 	'v', arg_counter, &verbose, "verbose debugging", NULL },
+    { "version",	0, arg_flag,	&version_flag, "print version", NULL },
+    { "help",		0, arg_flag,	&help_flag, NULL, NULL }
 };

 static void
--- a/lib/roken/roken_gethostby.c
+++ b/lib/roken/roken_gethostby.c
@@ -77,7 +77,8 @@ setup_int(const char *proxy_host, short proxy_port,
 	if(make_address(dns_host, &dns_addr.sin_addr) != 0)
 	    return -1;
 	dns_addr.sin_port = htons(dns_port);
-	asprintf(&dns_req, "%s", dns_path);
+	if (asprintf(&dns_req, "%s", dns_path) < 0)
+	    return -1;
    }
    dns_addr.sin_family = AF_INET;
    return 0;
--- a/lib/roken/simple_exec.c
+++ b/lib/roken/simple_exec.c
@@ -144,17 +144,31 @@ ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
 pipe_execv(FILE **stdin_fd, FILE **stdout_fd, FILE **stderr_fd,
 	   const char *file, ...)
 {
-    int in_fd[2], out_fd[2], err_fd[2];
+    int in_fd[2] = {-1, -1};
+    int out_fd[2] = {-1, -1};
+    int err_fd[2] = {-1, -1};
    pid_t pid;
    va_list ap;
    char **argv;
+    int ret = 0;

    if(stdin_fd != NULL)
-	pipe(in_fd);
-    if(stdout_fd != NULL)
-	pipe(out_fd);
-    if(stderr_fd != NULL)
-	pipe(err_fd);
+	ret = pipe(in_fd);
+    if(ret != -1 && stdout_fd != NULL)
+	ret = pipe(out_fd);
+    if(ret != -1 && stderr_fd != NULL)
+	ret = pipe(err_fd);
+
+    if (ret == -1) {
+	close(in_fd[0]);
+	close(in_fd[1]);
+	close(out_fd[0]);
+	close(out_fd[1]);
+	close(err_fd[0]);
+	close(err_fd[1]);
+	return SE_E_UNSPECIFIED;
+    }
+
    pid = fork();
    switch(pid) {
    case 0:
--- a/lib/roken/test-mem.c
+++ b/lib/roken/test-mem.c
@@ -70,13 +70,16 @@ static RETSIGTYPE
 segv_handler(int sig)
 {
    int fd;
+    ssize_t ret;
    char msg[] = "SIGSEGV i current test: ";

    fd = open("/dev/stdout", O_WRONLY, 0600);
    if (fd >= 0) {
-	(void)write(fd, msg, sizeof(msg) - 1);
-	(void)write(fd, testname, strlen(testname));
-	(void)write(fd, "\n", 1);
+	ret = write(fd, msg, sizeof(msg) - 1);
+	if (ret != -1)
+	    ret = write(fd, testname, strlen(testname));
+	if (ret != -1)
+	    ret = write(fd, "\n", 1);
 	close(fd);
    }
    _exit(1);
--- a/lib/sl/slc-gram.y
+++ b/lib/sl/slc-gram.y
@@ -341,7 +341,7 @@ gen_command(struct assignment *as)
    fprintf(cfile, " },\n");
    for(a = a->next; a != NULL; a = a->next)
 	if(strcmp(a->name, "name") == 0)
-	    cprint(1, "    { \"%s\" },\n", a->u.value);
+	    cprint(1, "    { \"%s\", NULL, NULL, NULL },\n", a->u.value);
    cprint(0, "\n");
 }

@@ -360,6 +360,7 @@ make_name(struct assignment *as)
    struct assignment *lopt;
    struct assignment *type;
    char *s;
+    int ret;

    lopt = find(as, "long");
    if(lopt == NULL)
@@ -369,9 +370,11 @@ make_name(struct assignment *as)

    type = find(as, "type");
    if(strcmp(type->u.value, "-flag") == 0)
-	asprintf(&s, "%s_flag", lopt->u.value);
+	ret = asprintf(&s, "%s_flag", lopt->u.value);
    else
-	asprintf(&s, "%s_%s", lopt->u.value, type->u.value);
+	ret = asprintf(&s, "%s_%s", lopt->u.value, type->u.value);
+    if (ret == -1)
+	return NULL;
    gen_name(s);
    return s;
 }
@@ -446,7 +449,7 @@ struct type_handler {
 	  defval_neg_flag,
 	  NULL
 	},
-	{ NULL }
+	{ NULL, NULL, NULL, NULL, NULL }
 };

 static struct type_handler *find_handler(struct assignment *type)
@@ -710,7 +713,7 @@ gen(struct assignment *as)
    cprint(0, "SL_cmd commands[] = {\n");
    for(a = as; a != NULL; a = a->next)
 	gen_command(a->u.assignment);
-    cprint(1, "{ NULL }\n");
+    cprint(1, "{ NULL, NULL, NULL, NULL }\n");
    cprint(0, "};\n");

    hprint(0, "extern SL_cmd commands[];\n");
@@ -719,8 +722,8 @@ gen(struct assignment *as)
 int version_flag;
 int help_flag;
 struct getargs args[] = {
-    { "version", 0, arg_flag, &version_flag },
-    { "help", 0, arg_flag, &help_flag }
+    { "version", 0, arg_flag, &version_flag, NULL, NULL },
+    { "help", 0, arg_flag, &help_flag, NULL, NULL }
 };
 int num_args = sizeof(args) / sizeof(args[0]);

--- a/lib/wind/bidi.c
+++ b/lib/wind/bidi.c
@@ -51,7 +51,7 @@ range_entry_cmp(const void *a, const void *b)
 static int
 is_ral(uint32_t cp)
 {
-    struct range_entry ee = {cp};
+    struct range_entry ee = {cp, 0};
    void *s = bsearch(&ee, _wind_ral_table, _wind_ral_table_size,
 		      sizeof(_wind_ral_table[0]),
 		      range_entry_cmp);
@@ -61,7 +61,7 @@ is_ral(uint32_t cp)
 static int
 is_l(uint32_t cp)
 {
-    struct range_entry ee = {cp};
+    struct range_entry ee = {cp, 0};
    void *s = bsearch(&ee, _wind_l_table, _wind_l_table_size,
 		      sizeof(_wind_l_table[0]),
 		      range_entry_cmp);
--- a/lib/wind/combining.c
+++ b/lib/wind/combining.c
@@ -49,7 +49,7 @@ translation_cmp(const void *key, const void *data)
 int
 _wind_combining_class(uint32_t code_point)
 {
-    struct translation ts = {code_point};
+    struct translation ts = {code_point, 0};
    void *s = bsearch(&ts, _wind_combining_table, _wind_combining_table_size,
 		      sizeof(_wind_combining_table[0]),
 		      translation_cmp);
--- a/lib/wind/errorlist.c
+++ b/lib/wind/errorlist.c
@@ -51,7 +51,7 @@ error_entry_cmp(const void *a, const void *b)
 int
 _wind_stringprep_error(const uint32_t cp, wind_profile_flags flags)
 {
-    struct error_entry ee = {cp};
+    struct error_entry ee = {cp, 0, 0};
    const struct error_entry *s;

    s = (const struct error_entry *)
--- a/lib/wind/map.c
+++ b/lib/wind/map.c
@@ -58,7 +58,7 @@ _wind_stringprep_map(const uint32_t *in, size_t in_len,
    unsigned o = 0;

    for (i = 0; i < in_len; ++i) {
-	struct translation ts = {in[i]};
+	struct translation ts = {in[i], 0, 0, 0};
 	const struct translation *s;

 	s = (const struct translation *)
--- a/lib/wind/normalize.c
+++ b/lib/wind/normalize.c
@@ -127,7 +127,7 @@ compat_decomp(const uint32_t *in, size_t in_len,
    unsigned o = 0;

    for (i = 0; i < in_len; ++i) {
-	struct translation ts = {in[i]};
+	struct translation ts = {in[i], 0, 0};
 	size_t sub_len = *out_len - o;
 	int ret;

--- a/lib/wind/test-normalize.c
+++ b/lib/wind/test-normalize.c
@@ -47,7 +47,7 @@
 static size_t
 parse_vector(char *buf, uint32_t *v)
 {
-    char *last;
+    char *last = NULL;
    unsigned ret = 0;
    const char *n;
    unsigned u;
--- a/lib/wind/test-utf8.c
+++ b/lib/wind/test-utf8.c
@@ -78,24 +78,24 @@ struct testcase {
 };

 static const struct testcase testcases[] = {
-    {"", 0, {0}},
-    {"\x01", 1, {1}},
-    {"\x7F", 1, {0x7F}},
-    {"\x01\x7F", 2, {0x01, 0x7F}},
-    {"\xC0\x80", 1, {0}},
-    {"\xC0\x81", 1, {1}},
-    {"\xC1\x80", 1, {0x40}},
-    {"\xDF\xBF", 1, {0x7FF}},
-    {"\xE0\x80\x80", 1, {0}},
-    {"\xE0\x80\x81", 1, {1}},
-    {"\xE0\x81\x80", 1, {0x40}},
-    {"\xE1\x80\x80", 1, {0x1000}},
-    {"\xEF\xBF\xBF", 1, {0xFFFF}},
-    {"\xF0\x80\x80\x80", 1, {0}},
-    {"\xF0\x80\x80\x81", 1, {1}},
-    {"\xF0\x80\x81\x80", 1, {0x40}},
-    {"\xF0\x81\x80\x80", 1, {0x1000}},
-    {"\xF1\x80\x80\x80", 1, {0x40000}},
+    {"", 0, {0}, 0},
+    {"\x01", 1, {1}, 0},
+    {"\x7F", 1, {0x7F}, 0},
+    {"\x01\x7F", 2, {0x01, 0x7F}, 0},
+    {"\xC0\x80", 1, {0}, 0},
+    {"\xC0\x81", 1, {1}, 0},
+    {"\xC1\x80", 1, {0x40}, 0},
+    {"\xDF\xBF", 1, {0x7FF}, 0},
+    {"\xE0\x80\x80", 1, {0}, 0},
+    {"\xE0\x80\x81", 1, {1}, 0},
+    {"\xE0\x81\x80", 1, {0x40}, 0},
+    {"\xE1\x80\x80", 1, {0x1000}, 0},
+    {"\xEF\xBF\xBF", 1, {0xFFFF}, 0},
+    {"\xF0\x80\x80\x80", 1, {0}, 0},
+    {"\xF0\x80\x80\x81", 1, {1}, 0},
+    {"\xF0\x80\x81\x80", 1, {0x40}, 0},
+    {"\xF0\x81\x80\x80", 1, {0x1000}, 0},
+    {"\xF1\x80\x80\x80", 1, {0x40000}, 0},
    {"\xF7\xBF\xBF\xBF", 1, {0X1FFFFF}, 1},
 };