Hi, Thanks for the report. I think this should be fixed in https://secure.ucc.asn.au/hg/dropbear/rev/19ce21bd198a
I think there has probably been a timing dependent bug there for a long time, but it was exposed more easily in 2013.57. Cheers, Matt On Mon, Jan 20, 2014 at 09:53:18PM +0100, Oliver Metz wrote: > Hi, > > we see a bug when the rekey limit is reached. Dropbear is run on a embedded > mips device. For testing purposes we changed the define in sysoptions.h to: > #define KEX_REKEY_DATA (1<<21) > > This gives the following log: > ... > TRACE (5619) 1389521630.365826: send_msg_channel_data: len 16375 fd 0 > TRACE (5619) 1389521630.372597: leave send_msg_channel_data > TRACE (5619) 1389521630.373003: send normal readfd > TRACE (5619) 1389521630.373316: enter send_msg_channel_data > TRACE (5619) 1389521630.373707: enter send_msg_channel_data isextended 0 fd 0 > TRACE (5619) 1389521630.374120: maxlen 16375 > TRACE (5619) 1389521630.374595: send_msg_channel_data: len 16375 fd 0 > TRACE (5619) 1389521630.381393: leave send_msg_channel_data > TRACE (5619) 1389521630.381798: rekeying after timeout or max data reached > TRACE (5619) 1389521630.382441: send_msg_kexdh_init() > TRACE (5619) 1389521630.391507: DATAALLOWED=0 > TRACE (5619) 1389521630.391861: -> KEXINIT > TRACE (5619) 1389521630.392163: maybe_empty_reply_queue - no data allowed > TRACE (5619) 1389521630.769376: empty queue dequeing > TRACE (5619) 1389521630.769747: maybe_empty_reply_queue - no data allowed > TRACE (5619) 1389521631.234696: process_packet: packet type = 93, len 9 > TRACE (5619) 1389521631.235255: enter session_cleanup > TRACE (5619) 1389521631.235565: enter cli_tty_cleanup > TRACE (5619) 1389521631.235865: leave cli_tty_cleanup: not in raw mode > TRACE (5619) 1389521631.236376: enter chancleanup > TRACE (5619) 1389521631.236683: channel 0 closing > TRACE (5619) 1389521631.237056: enter remove_channel > TRACE (5619) 1389521631.237352: channel index is 0 > TRACE (5619) 1389521631.238302: CLOSE writefd 1 > TRACE (5619) 1389521631.238677: CLOSE readfd 0 > TRACE (5619) 1389521631.239089: CLOSE errfd 2 > rsync: writefd_unbuffered failed to write 4092 bytes to socket [sender]: > Broken pipe (32) > rsync: connection unexpectedly closed (34 bytes received so far) [sender] > rsync error: error in rsync protocol data stream (code 12) at io.c(605) > [sender=3.0.9] > > With the unaltered define this happens after exactly 1GB traffic. I'm sorry > that I can't attach a patch. But I can provide more logs if you need them. > > Regards > Oliver > > http://freetz.org