In a heartbeat, Robin Seggelmann < seggelmann at fh-muenster.de > submitted this line of code which was committed an hour before midnight on New Year's Eve, 2011 by Stephen Henson < steve at openssl.org >.
Originally Posted by cogset
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
That line of code is only present in OpenSSL versions between 1.0.1 and 1.0.1f, including betas; anything older or newer and the bug isn’t present.
The fix was simply to limit the payload plus padding to 16 bytes
And, to not allow the heartbeat to exceed its maximum length:
|- /* Read type and payload length first */
| - hbtype = *p++;
| - n2s(p, payload);
| - pl = p;
unsigned int write_length = 1 /* heartbeat type */ +
+ 2 /* heartbeat length */ +
+ payload + padding;
+ if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
+ return 0;
Of course, if the attacker went to the effort to save previous pcaps of traffic (are you listening GCHQ, NSA, FIS, MPS, etc?), that attacker could just pull the private key from the site and decrypt all saved communications.
The user needs to do a few things themselves.
For example, most users' web browsers are set, by default, to NOT check for revoked certificates!