[tor-bugs] #27431 [Applications/Tor Browser]: TBA connects to location.services.mozilla.com

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Oct 19 21:15:08 UTC 2018


#27431: TBA connects to location.services.mozilla.com
--------------------------------------+--------------------------
 Reporter:  towiw3                    |          Owner:  sysrqb
     Type:  defect                    |         Status:  assigned
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:  tbb-mobile                |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Changes (by sysrqb):

 * cc: tbb-team, igt0 (added)
 * owner:  tbb-team => sysrqb
 * status:  new => assigned
 * severity:  Normal => Major


Comment:

 Thanks for reporting this!

 Ugh, okay. This is exactly what we feared. It looks like this is the
 result of a bug within the Android core HTTP library. This leak is already
 fixed in the more recent releases of Android. In particular, any version
 after Android O (API 26+) should not leak DNS queries.

 I didn't catch this in #21863 because I only audited the master branch.
 You can see the leak here,
 [https://android.googlesource.com/platform/external/okhttp/+/marshmallow-
 release/okhttp/src/main/java/com/squareup/okhttp/internal/http/RouteSelector.java#187
 in Marshmallow]:
 {{{
     if (proxy.type() == Proxy.Type.DIRECT || proxy.type() ==
 Proxy.Type.SOCKS) {
       socketHost = address.getUriHost();
       socketPort = getEffectivePort(uri);
     } else {
       SocketAddress proxyAddress = proxy.address();
       if (!(proxyAddress instanceof InetSocketAddress)) {
         throw new IllegalArgumentException(
             "Proxy.address() is not an " + "InetSocketAddress: " +
 proxyAddress.getClass());
       }
       InetSocketAddress proxySocketAddress = (InetSocketAddress)
 proxyAddress;
       socketHost = getHostString(proxySocketAddress);
       socketPort = proxySocketAddress.getPort();
     }

     if (socketPort < 1 || socketPort > 65535) {
       throw new SocketException("No route to " + socketHost + ":" +
 socketPort
           + "; port is out of range");
     }

     // Try each address for best behavior in mixed IPv4/IPv6 environments.
     for (InetAddress inetAddress :
 network.resolveInetAddresses(socketHost)) {
       inetSocketAddresses.add(new InetSocketAddress(inetAddress,
 socketPort));
     }
 }}}

 And it is patched
 [https://android.googlesource.com/platform/external/okhttp/+/oreo-
 release/okhttp/src/main/java/com/squareup/okhttp/internal/http/RouteSelector.java#171
 in Oreo]:
 {{{
     if (proxy.type() == Proxy.Type.SOCKS) {
 inetSocketAddresses.add(InetSocketAddress.createUnresolved(socketHost,
 socketPort));
     } else {
       // Try each address for best behavior in mixed IPv4/IPv6
 environments.
       List<InetAddress> addresses = address.getDns().lookup(socketHost);
       for (int i = 0, size = addresses.size(); i < size; i++) {
         InetAddress inetAddress = addresses.get(i);
         inetSocketAddresses.add(new InetSocketAddress(inetAddress,
 socketPort));
       }
     }
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27431#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list