Set errno to ENOENT so that we return it as an error in case a particular
lookup fails.  The glibc NSS layer checks our return code and kicks errno
back to the caller.  If we don't set it, anywhere, on error, then the
previous error is returned.  That can be ERANGE, which would cause NSS to
allocate a larger buffer and try again.  For no-such-key errors, this was
exactly what was happening, and it could result in an out-of-memory error.

--- nss_db-2.5/db-XXX.c~	2011-12-13 15:22:18.000000000 +0200
+++ nss_db-2.5/db-XXX.c	2012-02-09 23:02:40.190586276 +0200
@@ -122,7 +122,7 @@
     }
 
   /* Succeed if it matches a value that parses correctly.  */
-/*  *errnop = ENOENT; */
+  *errnop = ENOENT;
   value.flags = 0;
   syslog (LOG_DEBUG, PACKAGE ": db->get (%s)\n", (char *)key->data);
   err = db->get (db, NULL, key, &value, 0);