> it's simple if you realize that memory heaps are sequential and the server's private key can be found after the address of a short-lived packet buffer…
Your comment seems to imply an out of bounds access (read past the allocated buffer), but heartbleed has no out of bounds access.
Instead, it's a problem of malloc (and even more so openssl's freelist scheme) returning non-zeroed memory which can (and often does) hold previously allocated data combined with read(2) not overwriting the whole buffer and not checking read(2)'s return value, which means the aforementioned previously allocated data gets sent back.
Your comment seems to imply an out of bounds access (read past the allocated buffer), but heartbleed has no out of bounds access.
Instead, it's a problem of malloc (and even more so openssl's freelist scheme) returning non-zeroed memory which can (and often does) hold previously allocated data combined with read(2) not overwriting the whole buffer and not checking read(2)'s return value, which means the aforementioned previously allocated data gets sent back.