diff --git a/common/singbridge/destination.go b/common/singbridge/destination.go
index 7a89c9ef..98aed258 100644
--- a/common/singbridge/destination.go
+++ b/common/singbridge/destination.go
@@ -18,19 +18,25 @@ func ToNetwork(network string) net.Network {
 }
 
 func ToDestination(socksaddr M.Socksaddr, network net.Network) net.Destination {
+	// IsFqdn() implicitly checks if the domain name is valid
 	if socksaddr.IsFqdn() {
 		return net.Destination{
 			Network: network,
 			Address: net.DomainAddress(socksaddr.Fqdn),
 			Port:    net.Port(socksaddr.Port),
 		}
-	} else {
+	}
+
+	// IsIP() implicitly checks if the IP address is valid
+	if socksaddr.IsIP() {
 		return net.Destination{
 			Network: network,
 			Address: net.IPAddress(socksaddr.Addr.AsSlice()),
 			Port:    net.Port(socksaddr.Port),
 		}
 	}
+
+	return net.Destination{}
 }
 
 func ToSocksaddr(destination net.Destination) M.Socksaddr {
diff --git a/proxy/shadowsocks_2022/inbound_multi.go b/proxy/shadowsocks_2022/inbound_multi.go
index 04cac573..c9927476 100644
--- a/proxy/shadowsocks_2022/inbound_multi.go
+++ b/proxy/shadowsocks_2022/inbound_multi.go
@@ -204,7 +204,12 @@ func (i *MultiUserInbound) NewConnection(ctx context.Context, conn net.Conn, met
 	})
 	newError("tunnelling request to tcp:", metadata.Destination).WriteToLog(session.ExportIDToError(ctx))
 	dispatcher := session.DispatcherFromContext(ctx)
-	link, err := dispatcher.Dispatch(ctx, singbridge.ToDestination(metadata.Destination, net.Network_TCP))
+	destination := singbridge.ToDestination(metadata.Destination, net.Network_TCP)
+	if !destination.IsValid() {
+		return newError("invalid destination")
+	}
+
+	link, err := dispatcher.Dispatch(ctx, destination)
 	if err != nil {
 		return err
 	}