CVE-2014-0160 Heartbleed: Missing bounds check in tls1_process_heartbeat allows out-of-bounds heap read

OpenSSL CVE-2014-0160 (Heartbleed): The TLS heartbeat request handler reads a 2-byte attacker-controlled payload length from the incoming TLS record, then calls memcpy(bp, pl, payload) to echo it back — without ever checking that the actual record contains that many bytes. This allows reading up to 65535 bytes of heap memory per request, leaking secrets (private keys, session tokens, passwords) from the server process. Affects both TLS (ssl/t1_lib.c: tls1_process_heartbeat) and DTLS (ssl/d1_both.c: dtls1_process_heartbeat) in OpenSSL 1.0.1 through 1.0.1f.