DF-0450
OOB kernel heap read in ng_string_unparse via unbounded strlen on binary data without NUL terminator
Summary
ng_string_unparse(:722-735): raw=data+*off(:726), ng_encode_string(raw)(:727) + strlen(raw)+1(:732) scan for NUL with no upper bound. BINARY2ASCII path validates arglen(ng_base.c:1514-1516) but unparse ignores it. Binary data with no NUL in field -> strlen reads past message allocation into kernel heap. Leaked bytes encoded and returned in ASCII response. On 32-bit: strlen*4 can overflow size_t -> small kmalloc + heap write overflow in encoding loop. Netgraph7 passes explicit length; v1 does not.