No production code without unit tests. Every possible type or class of input must be tested. All assumptions must be tested. All outputs must be verified for each possible combination of inputs. All failure modes must be exercised. No excuses, just do it.
Unit testing would only have caught this if someone had thought to test for an invalid payload length in the incoming request. Maybe OpenSSL would be a good candidate for full-blown formal methods that could mathematically prove that it matched the specification - however, then its important to remember that the proof only says that the code matched the specification not that the specification matched the real world, so all it really does is shift the complexity and scope for errors to the specification.
Thing is, for networking, those tests need to be right there in the code. Any data coming in off the web needs to be treated like a TSA officer treats a hippie in a 'Legalise Dope' T-shirt. Simple code review shows that OpenSSL wasn't doing that.