diff --git a/pam_goatherd.c b/pam_goatherd.c
index edf426c9e621e82e4aa4373b61b8718b9d187bc8..6cd78a2f247b039bfab5dec24c5772180fd6f54b 100644
--- a/pam_goatherd.c
+++ b/pam_goatherd.c
@@ -28,6 +28,9 @@ static const char arg_server[] = "server=";
 static const char arg_port[] = "port=";
 static const char arg_certs[] = "certs=";
 
+static const char str_ok[] = "OK\n";
+static const char str_fail[] = "FAIL\n";
+
 #define dbgp(msg) do { \
     if (cfg.debug) fprintf(stderr, "[%s:%s:%i] %s\n", __FILE__, __FUNCTION__, __LINE__, msg); \
 } while(0)
@@ -194,18 +197,19 @@ static int check_hotp(struct cfg cfg, const char *user, const char *hotp)
     }
 
     char buf[5];
-    if ((err = gnutls_record_recv(session, &buf, sizeof(buf) - 1)) < 0)
+    ssize_t recvd;
+    if ((recvd = gnutls_record_recv(session, &buf, sizeof(buf) - 1)) < 0)
     {
-        dbgp2("error in send", gnutls_strerror(err));
+        dbgp2("error in send", gnutls_strerror((int)recvd));
         err = PAM_AUTHINFO_UNAVAIL;
         goto bye;
     }
 
     // auth succeeded?
-    if (!strncmp(buf, "OK", 2)) {
+    if (recvd >= strlen(str_ok) && !strncmp(buf, str_ok, strlen(str_ok))) {
         dbgp("OK");
         err = PAM_SUCCESS;
-    } else if (!strncmp(buf, "FAIL", 4)) {
+    } else if (recvd >= strlen(str_fail) && !strncmp(buf, str_fail, strlen(str_fail))) {
         dbgp("FAIL");
         err = PAM_AUTH_ERR;
     } else {