Unit testing would only have caught this if someone had thought to test for an invalid payload length in the incoming request.
Sounds like a good test to me. The length of the payload was an input in this case and it should have been asserted against the true length of the buffer in a test.
Thing is, for networking, those tests need to be right there in the code. Any data coming in off the web needs to be treated like a TSA officer treats a hippie in a 'Legalise Dope' T-shirt.
That is yet another reason why we separate concerns in our code, so that we can plug in mocks and stubs as needed to simulate inputs into or outputs from a module of code. This enables unit testing, but it also leads to better organized and more clearly written code that accurately and concisely expresses the intent of the module. The existence of unit tests is a necessary, although not a sufficient, condition for good code.
Simple code review shows that OpenSSL wasn't doing that.
In hindsight yes but this code was reviewed (supposedly) and this was missed. Code review alone is not enough, you must prove it with tests.