diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go
index ff394d5d8..70e69eba9 100644
--- a/cmd/object-handlers.go
+++ b/cmd/object-handlers.go
@@ -3533,9 +3533,11 @@ func (api objectAPIHandlers) PutObjectLegalHoldHandler(w http.ResponseWriter, r
 		return
 	}
 
-	legalHold, err := objectlock.ParseObjectLegalHold(r.Body)
+	legalHold, err := objectlock.ParseObjectLegalHold(io.LimitReader(r.Body, r.ContentLength))
 	if err != nil {
-		writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)
+		apiErr := errorCodes.ToAPIErr(ErrMalformedXML)
+		apiErr.Description = err.Error()
+		writeErrorResponse(ctx, w, apiErr, r.URL)
 		return
 	}
 
diff --git a/internal/bucket/object/lock/lock.go b/internal/bucket/object/lock/lock.go
index 6401cdffa..8024848ed 100644
--- a/internal/bucket/object/lock/lock.go
+++ b/internal/bucket/object/lock/lock.go
@@ -535,7 +535,7 @@ func (l *ObjectLegalHold) IsEmpty() bool {
 func ParseObjectLegalHold(reader io.Reader) (hold *ObjectLegalHold, err error) {
 	hold = &ObjectLegalHold{}
 	if err = xml.NewDecoder(reader).Decode(hold); err != nil {
-		return
+		return nil, err
 	}
 
 	if !hold.Status.Valid() {