notes (240B)
1Buffer.write does not check wether the value being written has an adequate size.. 2We can read OOB relative to the request.response.. 3We generate multiple subrequests to increase the chances of hitting an 4address close to the flag variable.