From d39c1b0be6bd66d27d93129a52662e6e93e4bc3e Mon Sep 17 00:00:00 2001
From: David Sheets <sheets@alum.mit.edu>
Date: Wed, 7 Oct 2020 09:53:30 +0100
Subject: [PATCH] dnsforward/ipset: add segfault defense for missing DNS
 question section

---
 dnsforward/ipset.go      | 2 +-
 dnsforward/ipset_test.go | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/dnsforward/ipset.go b/dnsforward/ipset.go
index f5dadac0..f0c49973 100644
--- a/dnsforward/ipset.go
+++ b/dnsforward/ipset.go
@@ -131,7 +131,7 @@ func addToIpset(host string, ipsetName string, ipStr string) {
 // Call addMember for each (host, ipset, ip) triple
 func (c *ipsetCtx) processMembers(ctx *dnsContext, addMember func(string, string, string)) int {
 	req := ctx.proxyCtx.Req
-	if !(req.Question[0].Qtype == dns.TypeA ||
+	if req == nil || !(req.Question[0].Qtype == dns.TypeA ||
 		req.Question[0].Qtype == dns.TypeAAAA) ||
 		!ctx.responseFromUpstream {
 		return resultDone
diff --git a/dnsforward/ipset_test.go b/dnsforward/ipset_test.go
index bf8f362d..72721325 100644
--- a/dnsforward/ipset_test.go
+++ b/dnsforward/ipset_test.go
@@ -105,6 +105,13 @@ func TestIpsetParsing(t *testing.T) {
 	assert.False(t, ok)
 }
 
+func TestIpsetNoQuestion(t *testing.T) {
+	setup()
+
+	doProcess(t)
+	assert.Equal(t, 0, len(b))
+}
+
 func TestIpsetNoAnswer(t *testing.T) {
 	setup()