I don't get it..
I'm wondering again how code gets written without bounds-checking, on "message length" parameters. It's not the first time is it?
Is the leaked data simply the junk that was in de-assigned memory? It looks kind of important stuff you might not want to write over - let alone send over the internet.
perhaps as a general rule, apart from the obvious bounds checking, one should clear all memory as it becomes (re-)assigned? - or better on de-assignment.
Perhaps generally these under-run or their over-run brethren should be detected and escalated as a general principle.
just suggesting, perhaps we could be a bit less crap at everything?