CVE-2014-0160 Heartbleed: Missing bounds check in OpenSSL tls1_process_heartbeat

CVE-2014-0160 (Heartbleed): The TLS heartbeat extension in OpenSSL 1.0.1 through 1.0.1f is vulnerable to a missing-bounds-check that allows an attacker to read up to ~64KB of process memory per request. The function tls1_process_heartbeat in ssl/t1_lib.c trusts the 16-bit payload length field from the attacker-supplied heartbeat message without verifying that this length is consistent with the actual length of the received TLS record (s->s3->rrec.length). It then memcpy's payload bytes from the record data into a response buffer that is sent back to the peer, leaking adjacent process memory (potentially containing private keys, session tokens, passwords, etc.). The DTLS twin dtls1_process_heartbeat in ssl/d1_both.c has the same flaw.