FreeBSD 4.3-stable, coda from cvs around 17 July.
masquerade=1
coda packets in IPsec
28.8 modem between client and server.
volume is singly replicated; only 1 server in system

(gdb) bt
#0  0x281611ca in sftp_vfreadv (se=0x811b400, iovarray=0x450afc20, howMany=0)
    at sftp3.c:1469
#1  0x28160273 in sftp_ReadStrategy (sEntry=0x811b400) at sftp3.c:1074
#2  0x2815f606 in sftp_SendStrategy (sEntry=0x811b400) at sftp3.c:720
#3  0x2815c8a3 in PutFile (sEntry=0x811b400) at sftp1.c:860
#4  0x2815c0a7 in SFTP_SendResponse (ConnHandle=152677455, Reply=0x450afefc)
    at sftp1.c:608
#5  0x281394ca in RPC2_SendResponse (ConnHandle=152677455, Reply=0x8113a00)
    at rpc2a.c:188
#6  0x80c848e in cb_ExecuteRequest (_cid=152677455, _reqbuffer=0x0, _bd=0x0)
    at callback.server.c:194
#7  0x8086fb5 in callbackserver::main (this=0x812d400) at venuscb.cc:170
#8  0x80a3698 in VprocPreamble (init_lock=0x812d440) at vproc.cc:146
#9  0x28175ef3 in Create_Process_Part2 () at lwp.c:792

(gdb) i fr
Stack level 0, frame at 0x450afbd0:
 eip = 0x281611ca in sftp_vfreadv (sftp3.c:1469); saved eip 0x28160273
 called by frame at 0x450afe20
 source language c.
 Arglist at 0x450afbd0, args: se=0x811b400, iovarray=0x450afc20, howMany=0
 Locals at 0x450afbd0, Previous frame's sp is 0x0
 Saved registers:
  ebx at 0x450afba8, ebp at 0x450afbd0, esi at 0x450afbac, edi at 0x450afbb0,
  eip at 0x450afbd4

1459    static int sftp_vfreadv(struct SFTP_Entry *se, struct iovec iovarray[], long howMany)
1460        /* Like Unix readv().  Returns total number of bytes read.
1461           Can deal with in-memory files */
1462    {
1463        long i, rc, bytesleft;
1464        char *initp;
1465        struct FileInfoByAddr *x;
1466        int n;
1467
1468        /* Go to the disk if we must */
1469        if (!MEMFILE(se->SDesc)) {
1470            if (BYFDFILE(se->SDesc))
1471                (void)lseek(se->openfd, se->fd_offset, SEEK_SET);
1472
1473            n = readv(se->openfd, iovarray, howMany);

(gdb) print *se
$3 = {Magic = 135483392, WhoAmI = SFSERVER, LocalHandle = 0, PInfo = {
    RemoteHost = {Tag = 0, Value = {InetAddress = {s_addr = 0}, 
        Name = '\000' <repeats 63 times>}}, RemotePort = {Tag = 0, Value = {
        InetPortNumber = 0, Name = '\000' <repeats 19 times>}}, 
    RemoteSubsys = {Tag = 0, Value = {SubsysId = 0, 
        Name = '\000' <repeats 19 times>}}, RemoteHandle = 0, 
    SecurityLevel = 0, EncryptionType = 0, Uniquefier = 0, 
    SessionKey = "\000\000\000\000\000\000\000"}, PeerPort = {Tag = 0, 
    Value = {InetPortNumber = 0, Name = '\000' <repeats 19 times>}}, 
  LastWord = {tv_sec = 0, tv_usec = 0}, HostInfo = 0x0, Uniquefier = 0, 
  GotParms = 0, SentParms = 0, SDesc = 0x0, openfd = 0, fd_offset = 0, 
  Sleeper = 0x0, PacketSize = 0, WindowSize = 0, SendAhead = 0, AckPoint = 0, 
  DupThreshold = 0, RetryCount = 0, ReadAheadCount = 0, CtrlSeqNumber = 0, 
  RInterval = {tv_sec = 0, tv_usec = 0}, Retransmitting = 1, BindTime = 0, 
  LastSS = {tv_sec = 999263067, tv_usec = 999956}, PiggySDesc = 0x0, 
  XferState = 0, UseMulticast = 0, RepliedSinceLastSS = 0, 
  McastersStarted = 0, McastersFinished = 0, FirstSeqNo = 0, HitEOF = 0, 
  SendLastContig = 0, SendMostRecent = 0, SendTheseBits = {0, 0}, 
  SendAckLimit = 0, SendWorriedLimit = 0, RecvLastContig = 0, 
  RecvMostRecent = 0, DupsSinceAck = 0, RecvSinceAck = 0, RequestTime = 0, 
  RecvTheseBits = {0, 0}, ThesePackets = {0x0 <repeats 64 times>}}


This doesn't look right.  Plus,
(gdb) print se->SDesc    
$4 = (SE_Descriptor *) 0x0

going up, it seems this was called with the last arg 0:

Stack level 1, frame at 0x450afe20:
 eip = 0x28160273 in sftp_ReadStrategy (sftp3.c:1074); saved eip 0x2815f606
 called by frame at 0x450afe50, caller of frame at 0x450afbd0
 source language c.
 Arglist at 0x450afe20, args: sEntry=0x811b400
 Locals at 0x450afe20, Previous frame's sp is 0x0
 Saved registers:
  ebx at 0x450afbe8, ebp at 0x450afe20, esi at 0x450afbec, edi at 0x450afbf0,
  eip at 0x450afe24

1074        bytesread = sftp_vfreadv(sEntry, iovarray, sEntry->SendAhead);

I think the problem might be the SE not getting turned off when a
disconnect happens.

sftp_ReadStrategy has a number of problems:
bodylength = -60
sEntry->PacketSize = 0

in sftp1.c:PutFile
I find
821         ce = rpc2_GetConn(sEntry->LocalHandle);

which is not checked; for me it is null.

I put in code to fail right away if there was no ce.

    ce = rpc2_GetConn(sEntry->LocalHandle);
    if ( ce == 0 ) {

      QUIT(sEntry, SE_FAILURE, RPC2_SEFAIL2);
    }

Now I'm still timing out, but venus isn't crashing.

09:42:51 Getting Root Volume information...
09:42:55 Reintegrate u.gdt pending tokens for uid = 10853
09:42:56 Venus starting...
09:42:57 Reintegrate u.gdt pending tokens for uid = 10853
09:43:34 Reintegrate: u.gdt, 5/5 records, result = Operation timed out
09:44:35 Reintegrate: u.gdt, 5/5 records, result = Operation timed out

This doesn't feel quite right, but I do not understand rpc2 well enough...