Use this snapshot for the demo.
There are two parts to this demo. The first part is 00_mbuf_copydata_tainted_size.ql, which is the dataflow query that found the bug. It is explained in detail in this blog post. The problem with this query is that it does not find the true source of the untrusted data. This is because it assumes that any call to the function named m_mtod can return untrusted data. But not every mbuf contains untrusted data. So the second part of the demo, corresponding to this blog post, is to use dataflow analysis to find a path that gets an untrusted mbuf into icmp_error. The second part of the demo is developed in steps, starting with 01_paths_to_icmp_error.ql.