hashicorp · Manishakumari-hc · Oct 14, 2025 · Oct 10, 2025 · Oct 10, 2025 · Oct 13, 2025
@@ -0,0 +1,3 @@
+```release-note:security
+security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks[CVE-2025-11374]()
+```
@@ -5,6 +5,7 @@ package agent
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -234,19 +235,45 @@ func (s *HTTPHandlers) KVSPut(resp http.ResponseWriter, req *http.Request, args
 	}
 
 	// Check the content-length
-	if req.ContentLength > int64(s.agent.config.KVMaxValueSize) {
+	maxSize := int64(s.agent.config.KVMaxValueSize)
+	var buf *bytes.Buffer
+
+	switch {
+	case req.ContentLength <= 0 && req.Body == nil:
+		return "Request has no content-length & no body", nil
+
+	case req.ContentLength <= 0 && req.Body != nil:
+		// LimitReader to limit copy of large requests with no Content-Length
+		//+1 ensures we can detect if the body is too large
+		byteReader := http.MaxBytesReader(nil, req.Body, maxSize+1)
+		buf = new(bytes.Buffer)
+		if _, err := io.Copy(buf, byteReader); err != nil {
+			var bodyTooLargeErr *http.MaxBytesError
+			if errors.As(err, &bodyTooLargeErr) {
+				return nil, HTTPError{
+					StatusCode: http.StatusRequestEntityTooLarge,
+					Reason:     fmt.Sprintf("Request body too large. Max allowed is %d bytes.", maxSize),
+				}
+			}
+			return nil, err
+		}
+
+	case req.ContentLength > maxSize:
+		// Throw error if Content-Length is greater than max size
 		return nil, HTTPError{
 			StatusCode: http.StatusRequestEntityTooLarge,
 			Reason: fmt.Sprintf("Request body(%d bytes) too large, max size: %d bytes. See %s.",
-				req.ContentLength, s.agent.config.KVMaxValueSize, "https://developer.hashicorp.com/docs/agent/config/config-files#kv_max_value_size"),
+				req.ContentLength, maxSize, "https://developer.hashicorp.com/docs/agent/config/config-files#kv_max_value_size"),
 		}
-	}
 
-	// Copy the value
-	buf := bytes.NewBuffer(nil)
-	if _, err := io.Copy(buf, req.Body); err != nil {
-		return nil, err
+	default:
+		// Copy the value
+		buf = bytes.NewBuffer(nil)
+		if _, err := io.Copy(buf, req.Body); err != nil {
+			return nil, err
+		}
 	}
+
 	applyReq.DirEnt.Value = buf.Bytes()
 
 	// Make the RPC

@@ -6,6 +6,7 @@ package agent
 import (
 	"bytes"
 	"fmt"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"path"
@@ -37,6 +38,7 @@ func TestKVSEndpoint_PUT_GET_DELETE(t *testing.T) {
 	for _, key := range keys {
 		buf := bytes.NewBuffer([]byte("test"))
 		req, _ := http.NewRequest("PUT", "/v1/kv/"+key, buf)
+		req.ContentLength = int64(buf.Len())
 		resp := httptest.NewRecorder()
 		obj, err := a.srv.KVSEndpoint(resp, req)
 		if err != nil {
@@ -554,6 +556,96 @@ func TestKVSEndpoint_GET(t *testing.T) {
 	}
 }
 
+func TestKVSPUT_SwitchCases(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode")
+	}
+
+	t.Parallel()
+	a := NewTestAgent(t, "")
+	defer a.Shutdown()
+
+	maxSize := int(a.srv.agent.config.KVMaxValueSize)
+
+	tests := []struct {
+		name          string
+		body          string
+		contentLength int64
+		expectErr     bool
+		expectMsg     string
+		expectHTTPMsg string
+	}{
+		{
+			name:          "Case 2: No Content-Length but Body exists (allowed size)",
+			body:          "small-value",
+			contentLength: 0,
+			expectErr:     false,
+		},
+		{
+			name:          "Case 2b: No Content-Length but Body exists (too large)",
+			body:          strings.Repeat("x", maxSize+50),
+			contentLength: 0,
+			expectErr:     true,
+			expectHTTPMsg: fmt.Sprintf("Request body too large. Max allowed is %d bytes.", maxSize),
+		},
+		{
+			name:          "Case 3: Content-Length greater than max allowed limit",
+			body:          strings.Repeat("x", maxSize+10),
+			contentLength: int64(maxSize) + 10,
+			expectErr:     true,
+			expectHTTPMsg: fmt.Sprintf("Request body(%d bytes) too large, max size: %d bytes.", int64(maxSize)+10, maxSize),
+		},
+		{
+			name:          "Case 4: Normal body within allowed limit",
+			body:          "tiny",
+			contentLength: 4,
+			expectErr:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var bodyReader io.Reader
+			if tt.body != "" {
+				bodyReader = bytes.NewBufferString(tt.body)
+			} else {
+				bodyReader = nil
+			}
+
+			req := httptest.NewRequest(http.MethodPut, "/v1/kv/switch-test", bodyReader)
+			req.ContentLength = tt.contentLength
+			resp := httptest.NewRecorder()
+
+			obj, err := a.srv.KVSEndpoint(resp, req)
+
+			// Expected error cases
+			if tt.expectErr {
+				if err == nil {
+					t.Fatalf("expected error, got nil")
+				}
+				httpErr, ok := err.(HTTPError)
+				if !ok {
+					t.Fatalf("expected HTTPError, got %T", err)
+				}
+				if !strings.Contains(httpErr.Reason, tt.expectHTTPMsg[:20]) { // partial match
+					t.Fatalf("expected HTTPError reason to contain %q, got %q", tt.expectHTTPMsg, httpErr.Reason)
+				}
+				return
+			}
+
+			// Unexpected error
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			// Normal successful PUT result
+			if res, ok := obj.(bool); !ok || !res {
+				t.Fatalf("expected successful PUT result, got %v", obj)
+			}
+		})
+	}
+}
+
 func TestKVSEndpoint_DELETE_ConflictingFlags(t *testing.T) {
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")