fix: guard QueryCert against panic on short/empty QNAME (#1635)

* fix: guard QueryCert against panic on short/empty QNAME QueryCert slices data[:len(data)-1] to strip a trailing dot, which panics when data is empty (slice bounds [:-1]). Add a length check to return early for inputs shorter than a minimal valid "x." form. While miekg/dns currently rejects wire-format packets that would produce an empty QNAME, the Nebula code should not rely on library behavior for crash safety. Made-with: Cursor * fix merge conflicts --------- Co-authored-by: JackDoan <me@jackdoan.com>
2026-05-15 20:37:36 +02:00 · 2026-04-22 20:42:14 +03:00
parent e753e6e93c
commit 2a1cc62001
2 changed files with 29 additions and 0 deletions
--- a/dns_server.go
+++ b/dns_server.go
@@ -241,6 +241,9 @@ func (d *dnsServer) Query(q uint16, data string) (netip.Addr, bool) {
 }

 func (d *dnsServer) QueryCert(data string) string {
+	if len(data) < 2 {
+		return ""
+	}
 	ip, err := netip.ParseAddr(data[:len(data)-1])
 	if err != nil {
 		return ""