So the heartbeat bug can lead to memory read overrun, exposing (parts of) the process memory, because it reads the payload when there actually is no (or less) payload.
But what do you need a payload for, especially in a heartbeat?
It looks like it's just memcpy'd into the response. How is it used, exactly?
Edit:
Similar question, very interesting answer: Why does the client supply the length of the message at all?
Edit in response to TildalWave's comment:
This question is not a duplicate of 55116. I'm asking what the payload is used for. The other question is asking how the exploit works in general ("How exactly does the OpenSSL TLS heartbeat (Heartbleed) exploit work?") and does not even contain the word "payload".
Clarification - it seems my question is a little unclear.
- A heartbeat is usually used to check if the other system is still there, which is basically a yes/no question - so why is there a huge 64 KB sized payload at all (Mark has already mentioned sequence numbers though)?
- The server does not care about the contents of the payload, it simply copies it into the response (expecting the client to provide the payload length instead of checking it, at least before the heartbleed fix), right?
- What kind of data would a client put in the payload? A number? A word? A random string? If possible, please provide a link to a source file (preferably C) together with the relevant lines of code.
- Can someone provide an example for a use case that requires the payload be longer than, say, 8 Byte? Why would using an 8 Byte hex sequence number be a bad idea?