diff --git a/lib/libefivar/efivar.c b/lib/libefivar/efivar.c
index bce4a1449ab2..4e02eb80caef 100644
--- a/lib/libefivar/efivar.c
+++ b/lib/libefivar/efivar.c
@@ -225,8 +225,13 @@ efi_get_next_variable_name(efi_guid_t **guid, char **name)
 	if (efi_open_dev() == -1)
 		return -1;
 
+	/*
+	 * Always allocate enough for an extra NUL on the end, but don't tell
+	 * the IOCTL about it so we can NUL terminate the name before converting
+	 * it to UTF8.
+	 */
 	if (buf == NULL)
-		buf = malloc(buflen);
+		buf = malloc(buflen + sizeof(efi_char));
 
 again:
 	efi_var_reset(&var);
@@ -244,21 +249,23 @@ efi_get_next_variable_name(efi_guid_t **guid, char **name)
 	rv = ioctl(efi_fd, EFIIOC_VAR_NEXT, &var);
 	if (rv == 0 && var.name == NULL) {
 		/*
-		 * oops, too little space. Try again.
+		 * Variable name not long enough, so allocate more space for the
+		 * name and try again. As above, mind the NUL we add.
 		 */
-		void *new = realloc(buf, buflen);
-		buflen = var.namesize;
+		void *new = realloc(buf, var.namesize + sizeof(efi_char));
 		if (new == NULL) {
 			rv = -1;
 			errno = ENOMEM;
 			goto done;
 		}
+		buflen = var.namesize;
 		buf = new;
 		goto again;
 	}
 
 	if (rv == 0) {
-		*name = NULL; /* XXX */
+		free(*name);			/* Free last name, to avoid leaking */
+		*name = NULL;			/* Force ucs2_to_utf8 to malloc new space */
 		var.name[var.namesize / sizeof(efi_char)] = 0;	/* EFI doesn't NUL terminate */
 		rv = ucs2_to_utf8(var.name, name);
 		if (rv != 0)
@@ -269,9 +276,11 @@ efi_get_next_variable_name(efi_guid_t **guid, char **name)
 errout:
 
 	/* XXX The linux interface expects name to be a static buffer -- fix or leak memory? */
+	/* XXX for the moment, we free just before we'd leak, but still leak last one */
 done:
-	if (errno == ENOENT) {
+	if (rv != 0 && errno == ENOENT) {
 		errno = 0;
+		free(*name);			/* Free last name, to avoid leaking */
 		return 0;
 	}