diff --git a/lib/setup.c b/lib/setup.c
index 292ec508..ee14c637 100644
--- a/lib/setup.c
+++ b/lib/setup.c
@@ -603,6 +603,15 @@ static int _crypt_load_verity(struct crypt_device *cd, struct crypt_params_verit
 	if (r < 0)
 		return r;
 
+	//FIXME: use crypt_free
+	if (!cd->type && !(cd->type = strdup(CRYPT_VERITY))) {
+		free(CONST_CAST(void*)cd->u.verity.hdr.hash_name);
+		free(CONST_CAST(void*)cd->u.verity.hdr.salt);
+		free(cd->u.verity.uuid);
+		crypt_memzero(&cd->u.verity.hdr, sizeof(cd->u.verity.hdr));
+		return -ENOMEM;
+	}
+
 	if (params)
 		cd->u.verity.hdr.flags = params->flags;
 
@@ -611,9 +620,6 @@ static int _crypt_load_verity(struct crypt_device *cd, struct crypt_params_verit
 	if (cd->u.verity.root_hash_size > 4096)
 		return -EINVAL;
 
-	if (!cd->type && !(cd->type = strdup(CRYPT_VERITY)))
-		return -ENOMEM;
-
 	if (params && params->data_device &&
 	    (r = crypt_set_data_device(cd, params->data_device)) < 0)
 		return r;
diff --git a/lib/verity/verity.c b/lib/verity/verity.c
index 9edd6ac4..db8adb8c 100644
--- a/lib/verity/verity.c
+++ b/lib/verity/verity.c
@@ -123,6 +123,7 @@ int VERITY_read_sb(struct crypt_device *cd,
 		log_err(cd, _("Hash algorithm %s not supported.\n"),
 			params->hash_name);
 		free(CONST_CAST(char*)params->hash_name);
+		params->hash_name = NULL;
 		return -EINVAL;
 	}
 
@@ -130,11 +131,13 @@ int VERITY_read_sb(struct crypt_device *cd,
 	if (params->salt_size > sizeof(sb.salt)) {
 		log_err(cd, _("VERITY header corrupted.\n"));
 		free(CONST_CAST(char*)params->hash_name);
+		params->hash_name = NULL;
 		return -EINVAL;
 	}
 	params->salt = malloc(params->salt_size);
 	if (!params->salt) {
 		free(CONST_CAST(char*)params->hash_name);
+		params->hash_name = NULL;
 		return -ENOMEM;
 	}
 	memcpy(CONST_CAST(char*)params->salt, sb.salt, params->salt_size);