Wireshark-dev: [Wireshark-dev] Possible change to packet-ssl.c?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 9 Apr 2014 16:49:43 -0700
Should this chunk of code:

    if (tree) {
        if (type && (payload_length <= record_length - 16 - 3)) {
            proto_item_set_text(tree, "%s Record Layer: Heartbeat "
                                "%s",
                                val_to_str_const(*conv_version, ssl_version_short_names, "SSL"),
                                type);
            proto_tree_add_item(tls_heartbeat_tree, hf_ssl_heartbeat_message_type,
                                tvb, offset, 1, ENC_BIG_ENDIAN);
            offset += 1;
            proto_tree_add_uint(tls_heartbeat_tree, hf_ssl_heartbeat_message_payload_length,
                                tvb, offset, 2, payload_length);
            offset += 2;
            proto_tree_add_bytes_format(tls_heartbeat_tree, hf_ssl_heartbeat_message_payload,
                                        tvb, offset, payload_length,
                                        NULL, "Payload (%u byte%s)",
                                        payload_length,
                                        plurality(payload_length, "", "s"));
            offset += payload_length;
            proto_tree_add_bytes_format(tls_heartbeat_tree, hf_ssl_heartbeat_message_padding,
                                        tvb, offset, padding_length,
                                        NULL, "Padding and HMAC (%u byte%s)",
                                        padding_length,
                                        plurality(padding_length, "", "s"));
        } else {
            proto_item_set_text(tree,
                                "%s Record Layer: Encrypted Heartbeat",
                                val_to_str_const(*conv_version, ssl_version_short_names, "SSL"));
            proto_item_set_text(tls_heartbeat_tree,
                                "Encrypted Heartbeat Message");
        }
    }

perhaps report an expert info if the payload length is too large?  Why is that treated as a "this is encrypted" indication rather than a "somebody's trying to extract whatever's in the server's memory after the request payload" indication?