diff --git a/lib/krb5/rd_rep.c b/lib/krb5/rd_rep.c
index 602535cdb..9968db35a 100644
--- a/lib/krb5/rd_rep.c
+++ b/lib/krb5/rd_rep.c
@@ -45,6 +45,7 @@ krb5_rd_rep(krb5_context context,
     krb5_data data;
     krb5_crypto crypto;
 
+    *repl = NULL;
     krb5_data_zero (&data);
 
     ret = decode_AP_REP(inbuf->data, inbuf->length, &ap_rep, &len);
@@ -64,11 +65,11 @@ krb5_rd_rep(krb5_context context,
     ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
     if (ret)
 	goto out;
-    ret = krb5_decrypt_EncryptedData (context,
-				      crypto,
-				      KRB5_KU_AP_REQ_ENC_PART,
-				      &ap_rep.enc_part,
-				      &data);
+    ret = krb5_decrypt_EncryptedData(context,
+				     crypto,
+				     KRB5_KU_AP_REQ_ENC_PART,
+				     &ap_rep.enc_part,
+				     &data);
     krb5_crypto_destroy(context, crypto);
     if (ret)
 	goto out;
@@ -81,17 +82,15 @@ krb5_rd_rep(krb5_context context,
     ret = decode_EncAPRepPart(data.data, data.length, *repl, &len);
     if (ret) {
 	krb5_set_error_message(context, ret, N_("Failed to decode EncAPRepPart", ""));
-	return ret;
+        goto out;
     }
 
     if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
 	if ((*repl)->ctime != auth_context->authenticator->ctime ||
 	    (*repl)->cusec != auth_context->authenticator->cusec)
 	{
-	    krb5_free_ap_rep_enc_part(context, *repl);
-	    *repl = NULL;
 	    ret = KRB5KRB_AP_ERR_MUT_FAIL;
-	    krb5_clear_error_message (context);
+	    krb5_clear_error_message(context);
 	    goto out;
 	}
     }
@@ -102,8 +101,12 @@ krb5_rd_rep(krb5_context context,
 	krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey);
 
  out:
-    krb5_data_free (&data);
-    free_AP_REP (&ap_rep);
+    if (ret) {
+        krb5_free_ap_rep_enc_part(context, *repl);
+        *repl = NULL;
+    }
+    krb5_data_free(&data);
+    free_AP_REP(&ap_rep);
     return ret;
 }