Bug in rekeying

Matt Johnston matt at ucc.asn.au
Thu Jan 23 22:35:22 WST 2014


Hi,

Thanks for the report. I think this should be fixed in 
https://secure.ucc.asn.au/hg/dropbear/rev/19ce21bd198a

I think there has probably been a timing dependent bug there
for a long time, but it was exposed more easily in 2013.57.

Cheers,
Matt

On Mon, Jan 20, 2014 at 09:53:18PM +0100, Oliver Metz wrote:
> Hi,
> 
> we see a bug when the rekey limit is reached. Dropbear is run on a embedded mips device. For testing purposes we changed the define in sysoptions.h to:
> #define KEX_REKEY_DATA (1<<21)
> 
> This gives the following log:
> ...
> TRACE (5619) 1389521630.365826: send_msg_channel_data: len 16375 fd 0
> TRACE (5619) 1389521630.372597: leave send_msg_channel_data
> TRACE (5619) 1389521630.373003: send normal readfd
> TRACE (5619) 1389521630.373316: enter send_msg_channel_data
> TRACE (5619) 1389521630.373707: enter send_msg_channel_data isextended 0 fd 0
> TRACE (5619) 1389521630.374120: maxlen 16375
> TRACE (5619) 1389521630.374595: send_msg_channel_data: len 16375 fd 0
> TRACE (5619) 1389521630.381393: leave send_msg_channel_data
> TRACE (5619) 1389521630.381798: rekeying after timeout or max data reached
> TRACE (5619) 1389521630.382441: send_msg_kexdh_init()
> TRACE (5619) 1389521630.391507: DATAALLOWED=0
> TRACE (5619) 1389521630.391861: -> KEXINIT
> TRACE (5619) 1389521630.392163: maybe_empty_reply_queue - no data allowed
> TRACE (5619) 1389521630.769376: empty queue dequeing
> TRACE (5619) 1389521630.769747: maybe_empty_reply_queue - no data allowed
> TRACE (5619) 1389521631.234696: process_packet: packet type = 93, len 9
> TRACE (5619) 1389521631.235255: enter session_cleanup
> TRACE (5619) 1389521631.235565: enter cli_tty_cleanup
> TRACE (5619) 1389521631.235865: leave cli_tty_cleanup: not in raw mode
> TRACE (5619) 1389521631.236376: enter chancleanup
> TRACE (5619) 1389521631.236683: channel 0 closing
> TRACE (5619) 1389521631.237056: enter remove_channel
> TRACE (5619) 1389521631.237352: channel index is 0
> TRACE (5619) 1389521631.238302: CLOSE writefd 1
> TRACE (5619) 1389521631.238677: CLOSE readfd 0
> TRACE (5619) 1389521631.239089: CLOSE errfd 2
> rsync: writefd_unbuffered failed to write 4092 bytes to socket [sender]: Broken pipe (32)
> rsync: connection unexpectedly closed (34 bytes received so far) [sender]
> rsync error: error in rsync protocol data stream (code 12) at io.c(605) [sender=3.0.9]
> 
> With the unaltered define this happens after exactly 1GB traffic. I'm sorry that I can't attach a patch. But I can provide more logs if you need them.
> 
> Regards
> Oliver
> 
> http://freetz.org


More information about the Dropbear mailing list