An attacker sends a SOAP request with an array whose actual length exceeds
						the length indicated in the request. When a data structure including a SOAP
						array is instantiated, the sender transmits the size of the array as an
						explicit parameter along with the data. If the server processing the
						transmission naively trusts the specified size, then an attacker can
						intentionally understate the size of the array, possibly resulting in a
						buffer overflow if the server attempts to read the entire data set into the
						memory it allocated for a smaller array. This, in turn, can lead to a server
						crash or even the execution of arbitrary code.