From d36a0d42aa7411a59486afcaefbed320c0b40e2a Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Thu, 9 Nov 2023 07:44:13 -0800
Subject: [PATCH] tsnet: check a bit harder for https in Server.ListenFunnel

This was mostly already fixed already indirectly in earlier
commits but add a last second length check to this slice so
it can't ever OOB.

Fixes #7860

Change-Id: I31ac17fc93b5808deb09ff34e452fe37c87ddf3a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 tsnet/tsnet.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tsnet/tsnet.go b/tsnet/tsnet.go
index c66963d17..6fbfb642b 100644
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@@ -1009,6 +1009,9 @@ func (s *Server) ListenFunnel(network, addr string, opts ...FunnelOption) (net.L
 	if srvConfig == nil {
 		srvConfig = &ipn.ServeConfig{}
 	}
+	if len(st.CertDomains) == 0 {
+		return nil, errors.New("Funnel not available; HTTPS must be enabled. See https://tailscale.com/s/https")
+	}
 	domain := st.CertDomains[0]
 	hp := ipn.HostPort(domain + ":" + portStr)
 	if !srvConfig.AllowFunnel[hp] {