diff --git a/src/ssp/database.c b/src/ssp/database.c
index ec67982..5940e29 100644
--- a/src/ssp/database.c
+++ b/src/ssp/database.c
@@ -60,6 +60,7 @@ open_db(struct ssp *ctx)
     u32p_be((u32 *) (ctx->sa.s + salen));
     if (* (u32 *) (ctx->sa.s + salen) != SSP_MAGIC) {
         warnu("read ", ESC, db_file(ctx), ESC, ": not an SSP database");
+        ctx->sa.len = salen;
         return (errno = ENOMSG, -1);
     }
     /* set off past the magic, to the salt */
@@ -72,12 +73,14 @@ open_db(struct ssp *ctx)
     /* check the fileis big enough to contain up to encrypted data */
     if (ctx->sa.len <= off) {
         warnu("read ", ESC, db_file(ctx), ESC, ": file corrupted");
+        ctx->sa.len = salen;
         return (errno = EBADE, -1);
     }
 
     char key[KEY_LEN];
     if (!get_key(key, salt, "Enter database password: ", ctx)) {
         warnusys("read ", ESC, db_file(ctx), ESC, ": cannot read password");
+        ctx->sa.len = salen;
         return -1;
     }
 
@@ -89,6 +92,7 @@ open_db(struct ssp *ctx)
     u32p_be((u32 *) (ctx->sa.s + off));
     if (* (u32 *) (ctx->sa.s + off) != SSP_MAGIC_INT) {
         warnu("read ", ESC, db_file(ctx), ESC, ": wrong password");
+        ctx->sa.len = salen;
         return (errno = EINVAL, -1);
     }
     /* move off past internal magic, to actual cdb content */
@@ -213,7 +217,7 @@ write_db(char *data, size_t dlen, struct ssp *ctx)
 void
 rebuild_db(const char *oldkey, const char *newkey, const struct otp *otp, struct ssp *ctx)
 {
-    cdbmaker_sa mkr;
+    cdbmaker_sa mkr = CDBMAKER_SA_ZERO;
 
     if (!rebuild_cdb(&mkr, oldkey, newkey, otp, ctx))
         diefu(exitcode_from_errno(errno), "save database",