tsnet: check a bit harder for https in Server.ListenFunnel

This was mostly already fixed already indirectly in earlier
commits but add a last second length check to this slice so
it can't ever OOB.

Fixes #7860

Change-Id: I31ac17fc93b5808deb09ff34e452fe37c87ddf3a
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick 2023-11-09 07:44:13 -08:00 committed by Brad Fitzpatrick
parent bff786520e
commit d36a0d42aa
1 changed files with 3 additions and 0 deletions

View File

@ -1009,6 +1009,9 @@ func (s *Server) ListenFunnel(network, addr string, opts ...FunnelOption) (net.L
if srvConfig == nil {
srvConfig = &ipn.ServeConfig{}
}
if len(st.CertDomains) == 0 {
return nil, errors.New("Funnel not available; HTTPS must be enabled. See https://tailscale.com/s/https")
}
domain := st.CertDomains[0]
hp := ipn.HostPort(domain + ":" + portStr)
if !srvConfig.AllowFunnel[hp] {