Since so many people are talking about this issue, I will join too.
Openssl has a very simple yet dangerous flaw in the programming when they implemented the heartbeat feature.
Heartbeat is used to keep the session alive by having client server send a request over and the hosting server sends a response back.
But the issue with that is the request contains both the package and the package size.
and openssl simply echos back the original package and append anything after it with whatever package size it was specified?
REALLY? SERIOUSLY?
example: request: hello world, size: 64kb
response: hello world MYPASSWORD: blah blah blah, size 64kb.
The section of MYPASSWORD: blah blah blah is what is stored in memory, this happens because the response must return 64kb starting from where the "hello world" variable is stored, so it appends everything after it until is 64kb long. (there are many explanations online, so i won't go into detail about this)
So the point I am trying to make here is:
When accepting requests, NEVER trust what the user is giving you.
This is the same for username, text, or anything else, always ALWAYS validate the variable that is passed in, no matter if is a string, a number, any sql statements for sql injection, THE SIZE (in this case).
Doesn't matter what it is, all data coming in MUST get validated before doing anything.