fuzz: work around fuzz_connect_remote() limitations

cli-tcpfwd.c

@@ -273,11 +273,11 @@ static int newtcpforwarded(struct Channel * channel) {
                 origaddr, origport);
 		goto out;
 	}
+
+	channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE;
 	
 	snprintf(portstring, sizeof(portstring), "%u", fwd->connectport);
 	channel->conn_pending = connect_remote(fwd->connectaddr, portstring, channel_connect_done, channel, NULL, NULL);
-
-	channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE;
 	
 	err = SSH_OPEN_IN_PROGRESS;
 

fuzz/fuzz-common.c

@@ -238,6 +238,12 @@ int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t
 struct dropbear_progress_connection *fuzz_connect_remote(const char* UNUSED(remotehost), const char* UNUSED(remoteport),
     connect_callback cb, void* cb_data, 
     const char* UNUSED(bind_address), const char* UNUSED(bind_port)) {
+    /* This replacement for connect_remote() has slightly different semantics
+    to the real thing. It should probably be replaced with something more sophisticated.
+    It calls the callback cb() immediately rather than
+    in a future session loop iteration with set_connect_fds()/handle_connect_fds().
+    This could cause problems depending on how connect_remote() is used. In particular
+    the callback can close a channel - that can cause use-after-free. */
     char r;
     genrandom((void*)&r, 1);
     if (r & 1) {

svr-tcpfwd.c

@@ -284,10 +284,10 @@ static int newtcpdirect(struct Channel * channel) {
 		goto out;
 	}
 
+	channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE;
+
 	snprintf(portstring, sizeof(portstring), "%u", destport);
 	channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done, channel, NULL, NULL);
-
-	channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE;
 	
 	err = SSH_OPEN_IN_PROGRESS;