diff --git a/lib/dns/sec/dst/opensslrsa_link.c b/lib/dns/sec/dst/opensslrsa_link.c
index 822fe67901..e9e08ca1e0 100644
--- a/lib/dns/sec/dst/opensslrsa_link.c
+++ b/lib/dns/sec/dst/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.13 2001/09/15 00:01:56 bwelling Exp $
+ * $Id: opensslrsa_link.c,v 1.14 2001/11/06 17:59:50 bwelling Exp $
  */
 #ifdef OPENSSL
 
@@ -311,21 +311,27 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		return (ISC_R_NOMEMORY);
 	rsa->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE);
 
-	if (r.length < 1)
+	if (r.length < 1) {
+		RSA_free(rsa);
 		return (DST_R_INVALIDPUBLICKEY);
+	}
 	e_bytes = *r.base++;
 	r.length--;
 
 	if (e_bytes == 0) {
-		if (r.length < 2)
+		if (r.length < 2) {
+			RSA_free(rsa);
 			return (DST_R_INVALIDPUBLICKEY);
+		}
 		e_bytes = ((*r.base++) << 8);
 		e_bytes += *r.base++;
 		r.length -= 2;
 	}
 
-	if (r.length < e_bytes)
+	if (r.length < e_bytes) {
+		RSA_free(rsa);
 		return (DST_R_INVALIDPUBLICKEY);
+	}
 	rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
 	r.base += e_bytes;
 	r.length -= e_bytes;