I’ll explain:
From my understanding of the code, the server stores the buffer from the client, ‘pl’ on the heap, allocates a buffer ‘bp’ with the size ‘payload’ (given by the client), and then memcpy ‘payload’ bytes from ‘pl’, and that’s where the magic happens – ‘pl’ is smaller in reality, so it memcpy a lot of bytes after it.
My question is – when the server stores ‘pl’ on the heap, doesn’t it allocate ‘payload’ bytes for it as well? Why does it matter that the attacker “lied” in this case?