diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0f30d2db4b4b9c6dec0bccfec482f798642ccd5b..1ac8191850ff04a77e2e26da9cb9c996947351f4 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3036,6 +3036,13 @@ void ssl3_clear(SSL *s)
 		s->s3->tmp.ecdh = NULL;
 		}
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+	if (s->s3->tlsext_authz_client_types != NULL)
+		{
+		OPENSSL_free(s->s3->tlsext_authz_client_types);
+		s->s3->tlsext_authz_client_types = NULL;
+		}
+#endif
 
 	rp = s->s3->rbuf.buf;
 	wp = s->s3->wbuf.buf;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 85a5681f87a41df497151d545be6c9014acafc95..5b285995ab34b073b626b37adecabfad4ac49328 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1781,6 +1781,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 			if (!s->hit)
 				{
 				size_t i;
+				if (s->s3->tlsext_authz_client_types != NULL)
+					OPENSSL_free(s->s3->tlsext_authz_client_types);
 				s->s3->tlsext_authz_client_types =
 					OPENSSL_malloc(server_authz_dataformatlist_length);
 				if (!s->s3->tlsext_authz_client_types)