hashicorp · Manishakumari-hc · Oct 14, 2025 · Oct 10, 2025 · Oct 10, 2025 · Oct 13, 2025
@@ -234,19 +234,31 @@ func (s *HTTPHandlers) KVSPut(resp http.ResponseWriter, req *http.Request, args
 	}
 
 	// Check the content-length
-	if req.ContentLength > int64(s.agent.config.KVMaxValueSize) {
+	maxSize := int64(s.agent.config.KVMaxValueSize)
+	if req.ContentLength > maxSize {
 		return nil, HTTPError{
 			StatusCode: http.StatusRequestEntityTooLarge,
 			Reason: fmt.Sprintf("Request body(%d bytes) too large, max size: %d bytes. See %s.",
-				req.ContentLength, s.agent.config.KVMaxValueSize, "https://developer.hashicorp.com/docs/agent/config/config-files#kv_max_value_size"),
+				req.ContentLength, maxSize, "https://developer.hashicorp.com/docs/agent/config/config-files#kv_max_value_size"),
 		}
 	}
 
-	// Copy the value
-	buf := bytes.NewBuffer(nil)
-	if _, err := io.Copy(buf, req.Body); err != nil {
+	// LimitReader to limit copy of large requests with no Content-Length
+	limitedReader := io.LimitReader(req.Body, maxSize+1)
+	buf := new(bytes.Buffer)
+	copiedBytes, err := io.Copy(buf, limitedReader)
+	if err != nil {
 		return nil, err
 	}
+
+	// Reject request if actual read size exceeds allowed limit
+	if copiedBytes > maxSize {
+		return nil, HTTPError{
+			StatusCode: http.StatusRequestEntityTooLarge,
+			Reason:     fmt.Sprintf("Request body too large, max allowed is %d bytes.", maxSize),
+		}
+	}
+
 	applyReq.DirEnt.Value = buf.Bytes()
 
 	// Make the RPC