diff --git a/sys/cam/ctl/ctl.c b/sys/cam/ctl/ctl.c
index 83e2289..3af1c12 100644
--- a/sys/cam/ctl/ctl.c
+++ b/sys/cam/ctl/ctl.c
@@ -2397,8 +2397,10 @@ ctl_free_args(int num_args, struct ctl_be_arg *args)
 		return;
 
 	for (i = 0; i < num_args; i++) {
-		free(args[i].kname, M_CTL);
-		free(args[i].kvalue, M_CTL);
+		if (args[i].kname != NULL)
+			free(args[i].kname, M_CTL);
+		if (args[i].kvalue != NULL)
+			free(args[i].kvalue, M_CTL);
 	}
 
 	free(args, M_CTL);
@@ -2425,6 +2427,12 @@ ctl_copyin_args(int num_args, struct ctl_be_arg *uargs,
 	for (i = 0; i < num_args; i++) {
 		uint8_t *tmpptr;
 
+		if (args[i].namelen == 0) {
+			snprintf(error_str, error_str_len, "Argument %d "
+				 "name length is invalid", i);
+			goto bailout;
+		}
+
 		args[i].kname = ctl_copyin_alloc(args[i].name,
 			args[i].namelen, error_str, error_str_len);
 		if (args[i].kname == NULL)
@@ -2437,10 +2445,17 @@ ctl_copyin_args(int num_args, struct ctl_be_arg *uargs,
 		}
 
 		if (args[i].flags & CTL_BEARG_RD) {
+			if (args[i].vallen == 0) {
+				snprintf(error_str, error_str_len, "Argument %d "
+					 "value length is invalid", i);
+				goto bailout;
+			}
+
 			tmpptr = ctl_copyin_alloc(args[i].value,
 				args[i].vallen, error_str, error_str_len);
 			if (tmpptr == NULL)
 				goto bailout;
+
 			if ((args[i].flags & CTL_BEARG_ASCII)
 			 && (tmpptr[args[i].vallen - 1] != '\0')) {
 				snprintf(error_str, error_str_len, "Argument "
diff --git a/sys/cam/ctl/ctl_ioctl.h b/sys/cam/ctl/ctl_ioctl.h
index 40bd183..7d1128d 100644
--- a/sys/cam/ctl/ctl_ioctl.h
+++ b/sys/cam/ctl/ctl_ioctl.h
@@ -317,20 +317,20 @@ typedef enum {
  *
  * flags:	Flags for the parameter, see above for values.
  *
- * vallen:	Length of the value in bytes.
+ * vallen:	Length of the value in bytes, including the terminating NUL.
  *
- * value:	Value to be set/fetched.
+ * value:	Value to be set/fetched. This must be NUL-terminated.
  *
  * kname:	For kernel use only.
  *
  * kvalue:	For kernel use only.
  */
 struct ctl_be_arg {
-	int	namelen;
-	char	*name;
-	int	flags;
-	int	vallen;
-	void	*value;
+	unsigned int	namelen;
+	char		*name;
+	int		flags;
+	unsigned int	vallen;
+	void		*value;
 
 	char	*kname;
 	void	*kvalue;