Opened 10 months ago

Last modified 8 months ago

#27431 reopened defect

TBA connects to

Reported by: towiw3 Owned by: sysrqb
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-mobile
Cc: tbb-team, igt0 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Why does it connect to It also connects to but there is already a ticket for that:

I think TBA should not connect to Mozilla at all. By default it should not connect to anything and it should only connect when users ask it to.

Child Tickets

Change History (4)

comment:1 Changed 8 months ago by sysrqb

Cc: tbb-team igt0 added
Owner: changed from tbb-team to sysrqb
Severity: NormalMajor
Status: newassigned

Thanks for reporting this!

Ugh, okay. This is exactly what we feared. It looks like this is the result of a bug within the Android core HTTP library. This leak is already fixed in the more recent releases of Android. In particular, any version after Android O (API 26+) should not leak DNS queries.

I didn't catch this in #21863 because I only audited the master branch. You can see the leak here, in Marshmallow:

    if (proxy.type() == Proxy.Type.DIRECT || proxy.type() == Proxy.Type.SOCKS) {
      socketHost = address.getUriHost();
      socketPort = getEffectivePort(uri);
    } else {
      SocketAddress proxyAddress = proxy.address();
      if (!(proxyAddress instanceof InetSocketAddress)) {
        throw new IllegalArgumentException(                                                                                                                                                                        
            "Proxy.address() is not an " + "InetSocketAddress: " + proxyAddress.getClass());
      InetSocketAddress proxySocketAddress = (InetSocketAddress) proxyAddress;
      socketHost = getHostString(proxySocketAddress);
      socketPort = proxySocketAddress.getPort();

    if (socketPort < 1 || socketPort > 65535) {
      throw new SocketException("No route to " + socketHost + ":" + socketPort
          + "; port is out of range");

    // Try each address for best behavior in mixed IPv4/IPv6 environments.
    for (InetAddress inetAddress : network.resolveInetAddresses(socketHost)) {
      inetSocketAddresses.add(new InetSocketAddress(inetAddress, socketPort));

And it is patched in Oreo:

    if (proxy.type() == Proxy.Type.SOCKS) {
      inetSocketAddresses.add(InetSocketAddress.createUnresolved(socketHost, socketPort));
    } else {
      // Try each address for best behavior in mixed IPv4/IPv6 environments.                                                                                                                                       
      List<InetAddress> addresses = address.getDns().lookup(socketHost);
      for (int i = 0, size = addresses.size(); i < size; i++) {
        InetAddress inetAddress = addresses.get(i);
        inetSocketAddresses.add(new InetSocketAddress(inetAddress, socketPort));

comment:2 Changed 8 months ago by sysrqb

Parent ID: #28125
Resolution: duplicate
Status: assignedclosed

I'll close this and we'll work on the master/parent ticket.

comment:3 Changed 8 months ago by sysrqb

Resolution: duplicate
Status: closedreopened

Actually, no, sorry. There is a second bug we should patch here. I agree we shouldn't contact Mozilla for this. Specifically, this occurs because Fennec makes a connection to and Mozilla responds with geo-location (based on some GeoIP database) for the incoming connection. The geo-location information is then used by the app for choosing the region-specific search engines provided in the app (or using a default set). This is not helpful for TBA users, and Mozilla only responds if the request includes a valid API key - which we don't have. As a result, TBA makes a useless request where it always uses the default search engines at the end.

comment:4 Changed 8 months ago by gk

Parent ID: #28125
Note: See TracTickets for help on using tickets.