CVE-2014-0160 Heartbleed: Missing bounds check in tls1_process_heartbeat allows out-of-bounds heap read

CVE-2014-0160 (Heartbleed): In OpenSSL 1.0.1f, the function tls1_process_heartbeat() in ssl/t1_lib.c processes TLS heartbeat requests without validating that the attacker-supplied payload length field matches the actual data length in the TLS record. An attacker sends a heartbeat request with a tiny actual payload but a large claimed payload length (up to 65535 bytes). The server copies 'payload' bytes from memory starting at 'pl' (3 bytes into the record data) via memcpy, leaking up to 64KB of heap memory per request, including private keys, session tokens, and credentials. No authentication required; works on any TLS/DTLS connection.