Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Thu, Mar 19, 2020 at 11:34:38AM +0100, Florian Westphal wrote: > > Martin Zaharinov <micron10@xxxxxxxxx> wrote: > > > > [ trimming CC ] > > > > Please revert > > > > commit 28f8bfd1ac948403ebd5c8070ae1e25421560059 > > netfilter: Support iif matches in POSTROUTING > > Please, specify a short description to append to the revert. TCP makes use of the rb_node in sk_buff for its retransmit queue, amongst others. skb->dev aliases to this storage, i.e., passing skb->dev as the input interface in postrouting may point to another sk_buff instead. This will cause crashes and data corruption with nf_queue, as we will attempt to increment a random pcpu variable when calling dev_hold(). Also, the memory address may also be free'd, which gives UAF splat.
