<i>±1300 bytes</i><p>I wouldn't have thought it possible to generate a negative-sized request...<p>One of my pet peeves is fixed-length buffers in C code, of some size that (thankfully, it's checked to prevent going off the end - most of the time, at least...) has no real justification documented anywhere - "why use 72 bytes and not e.g. 80? Why 999, and not 1000 or 1024?" If you're going to use C, I think you should be paying more attention to memory allocation and how big things like requests/responses can be; otherwise, you should use a "safer" language possibly with dynamic allocation that can handle any size... but on a constrained system like a router that may not be possible (or it'll just turn into an opportunity for OOM DoS.)
Side bar, who releases these? Is there a feed(s) that devops/sysadmin/people follow to get the CVE-X-Y reports or is it more ad-hoc/whoever finds them