https://lgtm.com/blog/apple_xnu_packet_mangler_CVE-2017-13904
There were multiple bugs in packet_mangler.c. One of the infinite loop bugs was fixed in macOS High Sierra 10.13.2. The other bugs were fixed in macOS High Sierra 10.13.5.
For a demo, the best query to show is tcphdr_mbuf_copydata.ql, because it shows uses taint tracking to show the stack buffer overflow.
ArrayIndexMightOverflow.ql is a simplified version of the query that originally led us to look at this code. It looks for array indices that might be negative.
InfiniteLoop.ql is a query inspired by one of the bugs in this code: the loop might not terminate because the loop counter is updated with a compound assignment (+=). We wrote an exploit which causes the right hand side of the assignment to be zero, which means that the loop runs forever.
All three queries find results in this snapshot (macOS 10.13).
The queries also find results in this newer snapshot for 10.13.3. Apple thought they had fixed the infinite loop bug in 10.13.2, by changing the loop condition to a >. They were wrong.