That leaves the possibility out of consideration that, despite what the author says, the exploit was placed deliberately. It is easily conceivable that if Mr. Seggelmann hasn't been "working for an espionage agency", he still may have been blackmailed by one. It's not like you would know if that had happened.
He sure wouldn't be telling Die Welt anything but "it was not deliberate" if e.g. US governmental murderers threatened to kill his wife if he didn't plant a backdoor.
To me, this doesn't look much like an accident, though of course it might be. It's funny that he's assigning the length extracted from the request to a dedicated variable before doing the memcpy, though. Which suggests that he had at least looked at that variable more than just once when typing it down.
But what's more important in raising suspicion is that the entire feature is kind of useless, and its implementation is also somewhat superfluous. Assuming the protocol works as intended, you do not need a heartbeat in the first place. Either TCP reports an destination unreachable error when you send something, or your packets make it through and you get an answer. Presto, the other end is alive. And assuming the protocol is secure, the answer is of such a kind that you can read it, and only the other end could have created it, so no malicious third party could pretend the other end is alive when it isn't (on the other hand, if the crypto doesn't work, then heartbeat won't work any better either).
If you need to know that the other side is still alive (but... why? this is like querying the current CPU that a thread is running on), sending and echoing a random number the length (or less than) of one block would be perfectly sufficient. Assuming the crypto protocol works, nobody but the other end could echo the correct block. Hash it to further "randomize" the traffic if you're super paranoid (though block chaining will hide the pattern anyway). The only observable information, if anything, is "exchanged two blocks of data", which may really be anything.
Assuming that a heartbeat is really useful and important, there is absolutely no need for arbitrarily-sized user-supplied payloads up to 64kB, which is the very source of the exploit. So, why is there a provision for that in the first place? Only one anser seems plausible.
Edited by samoth, 11 April 2014 - 04:08 AM.