The ServerMechanismBase class has isDone method. Comment in the source code of this method say:
The problem is that if SASL error occurs isDone will never return true because of this code in ServerMechanismBase::step:
As you can see _done variable is only assigned if step's result is OK.
This bug affects AuthenticationSession's lifecycle management implemented in CmdSaslStart::run and CmdSaslContinue::run methods. In case of authentication error (for example in case of the wrong password) those methods fail to destroy current client's AuthenticationSession instance because mechanism.isDone() returns false.