String buffer safety cleanup. I don't think any of these were exploitable
remotely, but they would be if e.g. it happened to call the logging
function using a DNS hostname.

Also replace random() by arc4random() - only one of these is arguably
required since it's directly used in the protocol, but we might as
well replace both to avoid using two different PRNGs.

Reviewed by: green, alex