diff --git a/server.c b/server.c
index abd697b..7964a74 100644
--- a/server.c
+++ b/server.c
@@ -951,6 +951,8 @@ client_read(struct bufferevent *bev, void *d)
 	struct evbuffer	*src = EVBUFFER_INPUT(bev);
 	const char	*path, *p, *parse_err = "invalid request";
 	char		 decoded[DOMAIN_NAME_LEN];
+	char		*nul;
+	size_t		 len;
 
 	bufferevent_disable(bev, EVBUFFER_READ);
 
@@ -981,6 +983,14 @@ client_read(struct bufferevent *bev, void *d)
 		return;
 	}
 
+	nul = strchr(c->req, '\0');
+	len = nul - c->req;
+	if (len != c->reqlen) {
+		log_debug("NUL inside the request IRI");
+		start_reply(c, BAD_REQUEST, "bad request");
+		return;
+	}
+
 	if (!parse_iri(c->req, &c->iri, &parse_err) ||
 	    !puny_decode(c->iri.host, decoded, sizeof(decoded), &parse_err)) {
 		log_debug("IRI parse error: %s", parse_err);