Heartbleed - Read overflow

Aug 22, 2019 13:17 · 105 words · 1 minute read

Although I was working in industry when the OpenSSL Heartbleed CVE was announced, I didn’t full understand how the exploit worked because at the time, I had very little development background in C. But over the last couple years, I’ve been developing more in C (on the job and in academia) and learned (from my Information Security Lectures) that the exploit was effectively a read overflow. Unlike a write overflow, where the writing data to one variable (on the stack or heap) overwrites data intended for another variable, the read overflow allows someone to peek into data from other memory areas (e.g. heap or stack).