diff --git a/lib/gssapi/ntlm/accept_sec_context.c b/lib/gssapi/ntlm/accept_sec_context.c
index d6300006b..6a3e8899e 100644
--- a/lib/gssapi/ntlm/accept_sec_context.c
+++ b/lib/gssapi/ntlm/accept_sec_context.c
@@ -171,12 +171,14 @@ _gss_ntlm_accept_sec_context
 	output_token->value = malloc(out.length);
 	if (output_token->value == NULL && out.length != 0) {
 	    OM_uint32 gunk;
+	    heim_ntlm_free_buf(&out);
 	    _gss_ntlm_delete_sec_context(&gunk, context_handle, NULL);
 	    *minor_status = ENOMEM;
 	    return GSS_S_FAILURE;
 	}
 	memcpy(output_token->value, out.data, out.length);
 	output_token->length = out.length;
+	heim_ntlm_free_buf(&out);
 
 	ctx->flags = retflags;
 
diff --git a/lib/gssapi/ntlm/kdc.c b/lib/gssapi/ntlm/kdc.c
index e5c25596a..1bce00fc5 100644
--- a/lib/gssapi/ntlm/kdc.c
+++ b/lib/gssapi/ntlm/kdc.c
@@ -252,6 +252,7 @@ kdc_type2(OM_uint32 *minor_status,
     krb5_data ti;
 
     memset(&type2, 0, sizeof(type2));
+    memset(out, 0, sizeof(*out));
 
     /*
      * Request data for type 2 packet from the KDC.