kallus,

Re: "What about the very similar code in ssl/t1_lib.c below, is something subtle making it safe or is that also part of the bug?"

They both contain the same bug with the same malicious result. The code here is for UDP packets, the code below is for TCP packets. The exploits seen in-the-wild against major Internet companies would have followed the code path below, since HTTP sits atop TCP.