getLedgers: Add bounds check for empty ledger result #598
Description
Missing bounds check in getLedgers can cause a panic when the in-memory cache is ahead of the read transaction's visible data. The panic is recovered by the request duration limiter - server continues running, client receives a -32003 error.
Bug
In cmd/stellar-rpc/internal/methods/get_ledgers.go:101:
cursor := strconv.Itoa(int(ledgers[len(ledgers)-1].Sequence)) // panics if len(ledgers) == 0
This can happen during a race where NewTx() captures a cached latestLedgerSeq that the read transaction's snapshot doesn't yet contain.
Fix
if len(ledgers) == 0 {
return protocol.GetLedgersResponse{}, &jrpc2.Error{
Code: jrpc2.InternalError,
Message: "no ledgers found in requested range",
}
}
Things to note
- Not a security vulnerability - the panic is recovered, request fails gracefully
- Operators running public endpoints should ensure rate limiting and log rotation are configured appropriately