diff --git a/libfreerdp/core/nla.c b/libfreerdp/core/nla.c
index 3d09d43f6..50cb664f0 100644
--- a/libfreerdp/core/nla.c
+++ b/libfreerdp/core/nla.c
@@ -137,6 +137,16 @@ static BOOL nla_decrypt_public_key_hash(rdpNla* nla);
 static BOOL nla_encrypt_ts_credentials(rdpNla* nla);
 static BOOL nla_decrypt_ts_credentials(rdpNla* nla);
 
+static void nla_buffer_free(rdpNla* nla)
+{
+	WINPR_ASSERT(nla);
+	sspi_SecBufferFree(&nla->pubKeyAuth);
+	sspi_SecBufferFree(&nla->authInfo);
+	sspi_SecBufferFree(&nla->negoToken);
+	sspi_SecBufferFree(&nla->ClientNonce);
+	sspi_SecBufferFree(&nla->PublicKey);
+}
+
 static BOOL nla_Digest_Update_From_SecBuffer(WINPR_DIGEST_CTX* ctx, const SecBuffer* buffer)
 {
 	if (!buffer)
@@ -699,12 +709,12 @@ static BOOL nla_server_recv_credentials(rdpNla* nla)
 
 static int nla_server_authenticate(rdpNla* nla)
 {
-	int res = -1;
+	int ret = -1;
 
 	WINPR_ASSERT(nla);
 
 	if (nla_server_init(nla) < 1)
-		return -1;
+		goto fail;
 
 	/*
 	 * from tspkg.dll: 0x00000112
@@ -744,8 +754,10 @@ static int nla_server_authenticate(rdpNla* nla)
 
 	while (TRUE)
 	{
+		int res = -1;
+
 		if (nla_server_recv(nla) < 0)
-			return -1;
+			goto fail;
 
 		WLog_DBG(TAG, "Receiving Authentication Token");
 		credssp_auth_take_input_buffer(nla->auth, &nla->negoToken);
@@ -778,7 +790,7 @@ static int nla_server_authenticate(rdpNla* nla)
 
 			nla_send(nla);
 			/* Access Denied */
-			return -1;
+			goto fail;
 		}
 
 		if (res == 1)
@@ -787,10 +799,10 @@ static int nla_server_authenticate(rdpNla* nla)
 			if (credssp_auth_have_output_token(nla->auth))
 			{
 				if (!nla_send(nla))
-					return -1;
+					goto fail;
 
 				if (nla_server_recv(nla) < 0)
-					return -1;
+					goto fail;
 
 				WLog_DBG(TAG, "Receiving pubkey Token");
 			}
@@ -801,7 +813,7 @@ static int nla_server_authenticate(rdpNla* nla)
 				res = nla_decrypt_public_key_hash(nla);
 
 			if (!res)
-				return -1;
+				goto fail;
 
 			/* Clear nego token buffer or we will send it again to the client */
 			sspi_SecBufferFree(&nla->negoToken);
@@ -812,24 +824,29 @@ static int nla_server_authenticate(rdpNla* nla)
 				res = nla_encrypt_public_key_hash(nla);
 
 			if (!res)
-				return -1;
+				goto fail;
 		}
 
 		/* send authentication token */
 		WLog_DBG(TAG, "Sending Authentication Token");
 
 		if (!nla_send(nla))
-			return -1;
+			goto fail;
 
 		if (res == 1)
+		{
+			ret = 1;
 			break;
+		}
 	}
 
 	/* Receive encrypted credentials */
 	if (!nla_server_recv_credentials(nla))
-		return -1;
+		ret = -1;
 
-	return 1;
+fail:
+	nla_buffer_free(nla);
+	return ret;
 }
 
 /**
@@ -1678,11 +1695,7 @@ void nla_free(rdpNla* nla)
 		return;
 
 	smartcardCertInfo_Free(nla->smartcardCert);
-	sspi_SecBufferFree(&nla->pubKeyAuth);
-	sspi_SecBufferFree(&nla->authInfo);
-	sspi_SecBufferFree(&nla->negoToken);
-	sspi_SecBufferFree(&nla->ClientNonce);
-	sspi_SecBufferFree(&nla->PublicKey);
+	nla_buffer_free(nla);
 	sspi_SecBufferFree(&nla->tsCredentials);
 	credssp_auth_free(nla->auth);