diff --git a/appl/su/su.c b/appl/su/su.c
index b96238c94..ada1f115f 100644
--- a/appl/su/su.c
+++ b/appl/su/su.c
@@ -107,10 +107,21 @@ usage (int ret)
     exit (ret);
 }
 
+static void
+free_info(struct passwd *p)
+{
+    free (p->pw_name);
+    free (p->pw_passwd);
+    free (p->pw_dir);
+    free (p->pw_shell);
+    free (p);
+}
+
 static struct passwd*
-make_info(struct passwd *pwd)
+dup_info(const struct passwd *pwd)
 {
     struct passwd *info;
+
     info = malloc(sizeof(*info));
     if(info == NULL)
 	return NULL;
@@ -121,8 +132,10 @@ make_info(struct passwd *pwd)
     info->pw_dir = strdup(pwd->pw_dir);
     info->pw_shell = strdup(pwd->pw_shell);
     if(info->pw_name == NULL || info->pw_passwd == NULL ||
-       info->pw_dir == NULL || info->pw_shell == NULL)
+       info->pw_dir == NULL || info->pw_shell == NULL) {
+	free_info (info);
 	return NULL;
+    }
     return info;
 }
 
@@ -132,7 +145,8 @@ static krb5_ccache ccache;
 #endif
 
 static int
-krb5_verify(struct passwd *login_info, struct passwd *su_info,
+krb5_verify(const struct passwd *login_info,
+	    const struct passwd *su_info,
 	    const char *kerberos_instance)
 {
 #ifdef KRB5
@@ -307,7 +321,9 @@ main(int argc, char **argv)
 	syslog (LOG_ALERT, "NIS attack, user %s has uid 0", su_user);
 	errx (1, "unknown login %s", su_user);
     }
-    su_info = make_info(pwd);
+    su_info = dup_info(pwd);
+    if (su_info == NULL)
+	errx (1, "malloc: out of memory");
     
 #if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
     login_user = getlogin();
@@ -316,7 +332,9 @@ main(int argc, char **argv)
 	pwd = getpwuid(getuid());
     if(pwd == NULL)
 	errx(1, "who are you?");
-    login_info = make_info(pwd);
+    login_info = dup_info(pwd);
+    if (login_info == NULL)
+	errx (1, "malloc: out of memory");
     if(env_flag)
 	shell = login_info->pw_shell;
     else