As per @SonarSource, The problem lies with the server reading 16 bytes on line 13 into its buffer without making sure that the string is null-terminated (the last byte of the buffer is null). Sending 16 non-null bytes to the server will return them and the adjacent buffer containing sensitive data!