diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c
index 9b0b31792b..34380ae9a0 100644
--- a/lib/socks_gssapi.c
+++ b/lib/socks_gssapi.c
@@ -167,6 +167,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
   }
 
   Curl_safefree(service.value);
+  service.length = 0;
 
   if(check_gss_err(data, gss_major_status,
                    gss_minor_status, "gss_import_name()")) {
@@ -191,8 +192,10 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
                                                  TRUE,
                                                  &gss_ret_flags);
 
-    if(gss_token != GSS_C_NO_BUFFER)
+    if(gss_token != GSS_C_NO_BUFFER) {
       Curl_safefree(gss_recv_token.value);
+      gss_recv_token.length = 0;
+    }
     if(check_gss_err(data, gss_major_status,
                      gss_minor_status, "gss_init_sec_context") ||
        /* the size needs to fit in a 16 bit field */
@@ -293,6 +296,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
       failf(data, "Failed to receive GSS-API authentication token.");
       gss_release_name(&gss_status, &server);
       Curl_safefree(gss_recv_token.value);
+      gss_recv_token.length = 0;
       Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL);
       return CURLE_COULDNT_CONNECT;
     }
@@ -403,12 +407,14 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
 
     if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_wrap")) {
       Curl_safefree(gss_send_token.value);
+      gss_send_token.length = 0;
       gss_release_buffer(&gss_status, &gss_w_token);
       Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL);
       failf(data, "Failed to wrap GSS-API encryption value into token.");
       return CURLE_COULDNT_CONNECT;
     }
     Curl_safefree(gss_send_token.value);
+    gss_send_token.length = 0;
 
     us_length = htons((unsigned short)gss_w_token.length);
     memcpy(socksreq + 2, &us_length, sizeof(short));
@@ -482,6 +488,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
   if(result || (actualread != us_length)) {
     failf(data, "Failed to receive GSS-API encryption type.");
     Curl_safefree(gss_recv_token.value);
+    gss_recv_token.length = 0;
     Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL);
     return CURLE_COULDNT_CONNECT;
   }
@@ -493,12 +500,14 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
 
     if(check_gss_err(data, gss_major_status, gss_minor_status, "gss_unwrap")) {
       Curl_safefree(gss_recv_token.value);
+      gss_recv_token.length = 0;
       gss_release_buffer(&gss_status, &gss_w_token);
       Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL);
       failf(data, "Failed to unwrap GSS-API encryption value into token.");
       return CURLE_COULDNT_CONNECT;
     }
     Curl_safefree(gss_recv_token.value);
+    gss_recv_token.length = 0;
 
     if(gss_w_token.length != 1) {
       failf(data, "Invalid GSS-API encryption response length (%zu).",
@@ -516,12 +525,14 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(struct Curl_cfilter *cf,
       failf(data, "Invalid GSS-API encryption response length (%zu).",
             gss_recv_token.length);
       Curl_safefree(gss_recv_token.value);
+      gss_recv_token.length = 0;
       Curl_gss_delete_sec_context(&gss_status, &gss_context, NULL);
       return CURLE_COULDNT_CONNECT;
     }
 
     memcpy(socksreq, gss_recv_token.value, gss_recv_token.length);
     Curl_safefree(gss_recv_token.value);
+    gss_recv_token.length = 0;
   }
 
   (void)curlx_nonblock(sock, TRUE);