diff --git a/src/auth/db-checkpassword.c b/src/auth/db-checkpassword.c
index 47e1ef32c9..2fd4ed1630 100644
--- a/src/auth/db-checkpassword.c
+++ b/src/auth/db-checkpassword.c
@@ -303,7 +303,7 @@ static void checkpassword_child_input(struct chkpw_auth_request *request)
 
 	ret = read(request->fd_in, buf, sizeof(buf));
 	if (ret > 0) {
-		str_append_n(request->input_buf, buf, ret);
+		str_append_data(request->input_buf, buf, ret);
 		return;
 	}
 
@@ -311,6 +311,11 @@ static void checkpassword_child_input(struct chkpw_auth_request *request)
 		auth_request_log_error(request->request, AUTH_SUBSYS_DB,
 				       "read() failed: %m");
 		checkpassword_internal_failure(&request);
+	} else if (memchr(str_data(request->input_buf), '\0',
+			  str_len(request->input_buf)) != NULL) {
+		auth_request_log_error(request->request, AUTH_SUBSYS_DB,
+				       "NUL characters in checkpassword reply");
+		checkpassword_internal_failure(&request);
 	} else if (strchr(str_c(request->input_buf), '\n') != NULL) {
 		auth_request_log_error(request->request, AUTH_SUBSYS_DB,
 				       "LF characters in checkpassword reply");