On Wed, Jun 22, 2022 at 04:43:57PM +0200, Florian Westphal wrote: > When verdict is NF_STOLEN, the skb might have been freed. > > When tracing is enabled, this can result in a use-after-free: > 1. access to skb->nf_trace > 2. access to skb->mark > 3. computation of trace id > 4. dump of packet payload > > To avoid 1, keep a cached copy of skb->nf_trace in the > trace state struct. > Refresh this copy whenever verdict is != STOLEN. > > Avoid 2 by skipping skb->mark access if verdict is STOLEN. > > 3 is avoided by precomputing the trace id. > > Only dump the packet when verdict is not "STOLEN". Applied, thanks
