diff --git a/cmd/auth-handler.go b/cmd/auth-handler.go
index ca8cb84af..a09184a60 100644
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@@ -22,6 +22,7 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
+	"io"
 	"io/ioutil"
 	"net/http"
 	"strings"
@@ -153,10 +154,10 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
 	var locationConstraint string
 	if action == policy.CreateBucketAction {
 		// To extract region from XML in request body, get copy of request body.
-		payload, err := ioutil.ReadAll(r.Body)
+		payload, err := ioutil.ReadAll(io.LimitReader(r.Body, maxLocationConstraintSize))
 		if err != nil {
 			logger.LogIf(ctx, err)
-			return ErrAccessDenied
+			return ErrMalformedXML
 		}
 
 		// Populate payload to extract location constraint.
@@ -165,7 +166,7 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
 		var s3Error APIErrorCode
 		locationConstraint, s3Error = parseLocationConstraint(r)
 		if s3Error != ErrNone {
-			return ErrAccessDenied
+			return s3Error
 		}
 
 		// Populate payload again to handle it in HTTP handler.
diff --git a/cmd/globals.go b/cmd/globals.go
index 7d34d8296..3fc601ad2 100644
--- a/cmd/globals.go
+++ b/cmd/globals.go
@@ -76,6 +76,9 @@ const (
 	globalMultipartExpiry = time.Hour * 24 * 14 // 2 weeks.
 	// Cleanup interval when the stale multipart cleanup is initiated.
 	globalMultipartCleanupInterval = time.Hour * 24 // 24 hrs.
+
+	// Limit of location constraint XML for unauthenticted PUT bucket operations.
+	maxLocationConstraintSize = 3 * humanize.MiByte
 )
 
 var (