Handle denied system DNS lookup in manager#771
Open
Shallow-dusty wants to merge 2 commits into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
Defensively prevents Vector manager crashes on Android 11 when using OkHttp’s system DNS (DoH disabled) by converting unexpected SecurityException failures at the Dns.lookup() boundary into the checked UnknownHostException OkHttp expects.
Changes:
- Wrap
CloudflareDNS.lookup()resolution path in atry/catch. - Convert
SecurityExceptionfrom DNS lookup intoUnknownHostExceptionwith the original exception set as the cause.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #636
When DoH is disabled, the manager uses OkHttp's system DNS implementation through
CloudflareDNS.lookup(). The crash log in #636 shows Android 11 can throw an uncheckedSecurityExceptionfrom that DNS lookup path:FATAL EXCEPTION: OkHttp Dispatcherjava.lang.SecurityException: Permission denied (missing INTERNET permission?)at org.lsposed.manager.util.CloudflareDNS.lookup(...)The manifest already declares
android.permission.INTERNET, so this is not a manifest-permission fix. Instead, handle the denied lookup defensively at theDns.lookup()boundary by convertingSecurityExceptionintoUnknownHostException, which is the checked failure type OkHttp expects from DNS implementations.Validation
git diff --check./gradlew.bat --no-daemon :app:compileDebugJavaWithJavac./gradlew.bat --no-daemon :app:assembleDebugVector_API30),doh=false: manager UI launches and remains alive; no fatal crash in logcat.Reproduction boundary
I could not reproduce the exact
EPERM/SecurityExceptionon a clean API 30 emulator. Attempts included Private DNSoff,opportunistic, invalid hostname mode, Data Saver / app UID restrict-background blacklist, and a local-only no-INTERNETmanifest build. These did not reproduce the reporter's environment-specificandroid_getaddrinfo failed: EPERMpath.To verify the fix still covers the reported failure mode, I used a local-only fault-injection comparison that was not included in this PR:
origin/master, injecting the sameSecurityException("Permission denied (missing INTERNET permission?)")fromCloudflareDNS.lookup()withdoh=falsereproducedFATAL EXCEPTION: OkHttp DispatcherandProcess: org.lsposed.manager.tryblock kept the app alive and converted the request failures tojava.net.UnknownHostException: Permission denied (missing INTERNET permission?), with noAndroidRuntimefatal crash.So the clean emulator cannot recreate the original device policy state, but the branch directly covers the exception class/message at the same method boundary shown in the issue stack.