From da8c7aebc5602c04b771ada71a098ccb23d83a48 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Thu, 2 Oct 2025 15:22:08 +0200
Subject: fix(log): systematically drop when .drop() is used

When the `php` logging facility is used, the error could have been caught by
using `set_error_handler` and whatnot. This commit ensures that if the
`.drop()` option is set, we're calling `zend_bailout()` that can't be caught.

An attacker could have used this issue to silently perform some recon of the
running environment. This isn't considered a vulnerability as an attacker
with arbitrary php code execution can simply use the use-after-free of the day
to gain arbitrary (native) code execution anyway, after detecting that
Snuffleupagus is in use, to take little risks of detection.
---
 src/sp_utils.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'src/sp_utils.c')

diff --git a/src/sp_utils.c b/src/sp_utils.c
index b045f61..775ff95 100644
--- a/src/sp_utils.c
+++ b/src/sp_utils.c
@@ -52,19 +52,19 @@ void sp_log_msgf(char const* const restrict feature, int level, int type,
       syslog(syslog_level, "[snuffleupagus][%s][%s][%s] %s in %s on line %d",
              client_ip, feature, logtype, msg, error_filename, error_lineno);
       closelog();
-      efree(msg);
-      if (type == SP_TYPE_DROP) {
-        zend_bailout();
-      }
       break;
     }
     case SP_LOG_ZEND:
     default:
       zend_error(level, "[snuffleupagus][%s][%s][%s] %s", client_ip, feature,
                  logtype, msg);
-      efree(msg);
       break;
   }
+
+  efree(msg);
+  if (type == SP_TYPE_DROP) {
+    zend_bailout();
+  }
 }
 
 int compute_hash(char const* const restrict filename,
-- 
cgit v1.3