That is because they wrote it
It's open source. We know exactly who wrote it. Robin Seggelmann
Turns out he's one of the authors of the RFC regarding the heartbeat functionality of SSL, and his implementation contradicts the the RFC (server is supposed to not respond if the length of the requested data does not match the specified length).
So unless the NSA is somehow surreptitiously bribing foreigners working on open source security projects to insert code which subverts the purpose of the project they're working on out of love, no the NSA didn't write it.
Actually if check the git repo you see that the bug isn't a common C mistake and should have been obvious. This a mistake I would expect out of CS 101 student, not someone maintaining a widely used encryption package. I mean seriously, you don't bother checking the length of the message you received before echoing it?
It's not a common mistake if you're writing C code by the seat of your pants. But it's one I can easily see creeping in if you're editing and cutting and pasting code. When you write code like this, you do a length check once, then everything you write afterwards assumes the length has been checked
. You do not re-check the length every time you use the variable.
If you rearrange the code, or cut and paste a piece while forgetting to also cut and paste the length check, suddenly you get this bug. It's a common enough error that malloc specifically has protections to prevent this bug (it'll crash the program, forcing you to re-check your code to find the bug). Unfortunately, the OpenSSL team disabled that safeguard
in order to improve performance on some systems which were ran too slow with the safety check in place.