diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk
--- a/share/mk/bsd.sys.mk
+++ b/share/mk/bsd.sys.mk
@@ -304,12 +304,13 @@
 FORTIFY_SOURCE?=	0
 .if ${MK_SSP} != "no"
 # Don't use -Wstack-protector as it breaks world with -Werror.
-SSP_CFLAGS?=	-fstack-protector-strong
+SSP_CFLAGS?=	-fstack-protector-strong -fstack-clash-protection
 CFLAGS+=	${SSP_CFLAGS}
 .endif # SSP
 .if ${FORTIFY_SOURCE} > 0
-CFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
-CXXFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
+# Ideally we want -fstrict-flex-arrays=3, but even =2 shows issues.
+CFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE} -fstrict-flex-arrays=1
+CXXFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE} -D_GLIBCXX_ASSERTIONS -fstrict-flex-arrays=1
 .endif
 
 # Additional flags passed in CFLAGS and CXXFLAGS when MK_DEBUG_FILES is