diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c
index 9d18b721f..d508e173f 100644
--- a/dirmngr/crlcache.c
+++ b/dirmngr/crlcache.c
@@ -1725,7 +1725,8 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
         {
           log_error ("hash algo mismatch: %d announced but %d used\n",
                      algo, hashalgo);
-          return gpg_error (GPG_ERR_INV_CRL);
+          err = gpg_error (GPG_ERR_INV_CRL);
+          goto leave;
         }
       /* Add some restrictions; see ../sm/certcheck.c for details.  */
       switch (algo)
@@ -1741,14 +1742,16 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
         default:
           log_error ("PSS hash algorithm '%s' rejected\n",
                      gcry_md_algo_name (algo));
-          return gpg_error (GPG_ERR_DIGEST_ALGO);
+          err = gpg_error (GPG_ERR_DIGEST_ALGO);
+          goto leave;
         }
 
       if (gcry_md_get_algo_dlen (algo) != saltlen)
         {
           log_error ("PSS hash algorithm '%s' rejected due to salt length %u\n",
                      gcry_md_algo_name (algo), saltlen);
-          return gpg_error (GPG_ERR_DIGEST_ALGO);
+          err = gpg_error (GPG_ERR_DIGEST_ALGO);
+          goto leave;
         }
     }
 
diff --git a/dirmngr/http.c b/dirmngr/http.c
index f7f65303b..74ce5f465 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2208,7 +2208,11 @@ send_request (ctrl_t ctrl, http_t hd, const char *httphost, const char *auth,
 
   p = build_rel_path (hd->uri);
   if (!p)
-    return gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
+    {
+      xfree (authstr);
+      xfree (proxy_authstr);
+      return gpg_err_make (default_errsource, gpg_err_code_from_syserror ());
+    }
 
   if (http_proxy && *http_proxy)
     {
diff --git a/dirmngr/ldap.c b/dirmngr/ldap.c
index ffe54bade..96abc89d0 100644
--- a/dirmngr/ldap.c
+++ b/dirmngr/ldap.c
@@ -563,8 +563,10 @@ start_cert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *r_context,
       use_ldaps = server->use_ldaps;
     }
   else /* Use a default server. */
-    return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
-
+    {
+      xfree (proxy);
+      return gpg_error (GPG_ERR_NOT_IMPLEMENTED);
+    }
 
   if (!base)
     base = "";
diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
index 6ed180955..6864f9854 100644
--- a/dirmngr/ocsp.c
+++ b/dirmngr/ocsp.c
@@ -534,6 +534,7 @@ check_signature (ctrl_t ctrl,
       err = ksba_ocsp_get_responder_id (ocsp, &name, &keyid);
       if (err)
         {
+          gcry_sexp_release (s_hash);
           log_error (_("error getting responder ID: %s\n"),
                      gcry_strerror (err));
           return err;