From c5a00e513c44edefd1de7adf68b324bf352740de Mon Sep 17 00:00:00 2001
From: Andreas Auernhammer <aead@mail.de>
Date: Fri, 4 May 2018 20:16:14 +0200
Subject: [PATCH] fix DoS vulnerability in request authentication (#5887)

This commit fixes a DoS vulnerability in the
request authentication. The root cause is an 'unlimited'
read-into-RAM from the request body.

Since this read happens before the request authentication
is verified the vulnerability can be exploit without any
access privileges.

This commit limits the size of the request body to 3 MB.
This is about the same size as AWS. The limit seems to be
between 1.6 and 3.2 MB - depending on the AWS machine which
is handling the request.
---
 cmd/auth-handler.go | 7 ++++---
 cmd/globals.go      | 3 +++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/cmd/auth-handler.go b/cmd/auth-handler.go
index ca8cb84af..a09184a60 100644
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@@ -22,6 +22,7 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
+	"io"
 	"io/ioutil"
 	"net/http"
 	"strings"
@@ -153,10 +154,10 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
 	var locationConstraint string
 	if action == policy.CreateBucketAction {
 		// To extract region from XML in request body, get copy of request body.
-		payload, err := ioutil.ReadAll(r.Body)
+		payload, err := ioutil.ReadAll(io.LimitReader(r.Body, maxLocationConstraintSize))
 		if err != nil {
 			logger.LogIf(ctx, err)
-			return ErrAccessDenied
+			return ErrMalformedXML
 		}
 
 		// Populate payload to extract location constraint.
@@ -165,7 +166,7 @@ func checkRequestAuthType(ctx context.Context, r *http.Request, action policy.Ac
 		var s3Error APIErrorCode
 		locationConstraint, s3Error = parseLocationConstraint(r)
 		if s3Error != ErrNone {
-			return ErrAccessDenied
+			return s3Error
 		}
 
 		// Populate payload again to handle it in HTTP handler.
diff --git a/cmd/globals.go b/cmd/globals.go
index 7d34d8296..3fc601ad2 100644
--- a/cmd/globals.go
+++ b/cmd/globals.go
@@ -76,6 +76,9 @@ const (
 	globalMultipartExpiry = time.Hour * 24 * 14 // 2 weeks.
 	// Cleanup interval when the stale multipart cleanup is initiated.
 	globalMultipartCleanupInterval = time.Hour * 24 // 24 hrs.
+
+	// Limit of location constraint XML for unauthenticted PUT bucket operations.
+	maxLocationConstraintSize = 3 * humanize.MiByte
 )
 
 var (