/*
   Unix SMB/CIFS implementation.
   Infrastructure for async SMB client requests
   Copyright (C) Volker Lendecke 2008

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "includes.h"

static void cli_state_handler(struct event_context *event_ctx,
			      struct fd_event *event, uint16 flags, void *p);

/**
 * Fetch an error out of a NBT packet
 * @param[in] buf	The SMB packet
 * @retval		The error, converted to NTSTATUS
 */

NTSTATUS cli_pull_error(char *buf)
{
	uint32_t flags2 = SVAL(buf, smb_flg2);

	if (flags2 & FLAGS2_32_BIT_ERROR_CODES) {
		return NT_STATUS(IVAL(buf, smb_rcls));
	}

	/* if the client uses dos errors, but there is no error,
	   we should return no error here, otherwise it looks
	   like an unknown bad NT_STATUS. jmcd */
	if (CVAL(buf, smb_rcls) == 0)
		return NT_STATUS_OK;

	return NT_STATUS_DOS(CVAL(buf, smb_rcls), SVAL(buf,smb_err));
}

/**
 * Compatibility helper for the sync APIs: Fake NTSTATUS in cli->inbuf
 * @param[in] cli	The client connection that just received an error
 * @param[in] status	The error to set on "cli"
 */

void cli_set_error(struct cli_state *cli, NTSTATUS status)
{
	uint32_t flags2 = SVAL(cli->inbuf, smb_flg2);

	if (NT_STATUS_IS_DOS(status)) {
		SSVAL(cli->inbuf, smb_flg2,
		      flags2 & ~FLAGS2_32_BIT_ERROR_CODES);
		SCVAL(cli->inbuf, smb_rcls, NT_STATUS_DOS_CLASS(status));
		SSVAL(cli->inbuf, smb_err, NT_STATUS_DOS_CODE(status));
		return;
	}

	SSVAL(cli->inbuf, smb_flg2, flags2 | FLAGS2_32_BIT_ERROR_CODES);
	SIVAL(cli->inbuf, smb_rcls, NT_STATUS_V(status));
	return;
}

/**
 * Allocate a new mid
 * @param[in] cli	The client connection
 * @retval		The new, unused mid
 */

static uint16_t cli_new_mid(struct cli_state *cli)
{
	uint16_t result;
	struct cli_request *req;

	while (true) {
		result = cli->mid++;
		if (result == 0) {
			continue;
		}

		for (req = cli->outstanding_requests; req; req = req->next) {
			if (result == req->mid) {
				break;
			}
		}

		if (req == NULL) {
			return result;
		}
	}
}

/**
 * Print an async req that happens to be a cli_request
 * @param[in] mem_ctx	The TALLOC_CTX to put the result on
 * @param[in] req	The request to print
 * @retval		The string representation of "req"
 */

static char *cli_request_print(TALLOC_CTX *mem_ctx, struct async_req *req)
{
	char *result = async_req_print(mem_ctx, req);
	struct cli_request *cli_req = talloc_get_type_abort(
		req->private_data, struct cli_request);

	if (result == NULL) {
		return NULL;
	}

	return talloc_asprintf_append_buffer(
		result, "mid=%d\n", cli_req->mid);
}

/**
 * Destroy a cli_request
 * @param[in] req	The cli_request to kill
 * @retval Can't fail
 */

static int cli_request_destructor(struct cli_request *req)
{
	if (req->enc_state != NULL) {
		common_free_enc_buffer(req->enc_state, req->outbuf);
	}
	DLIST_REMOVE(req->cli->outstanding_requests, req);
	if (req->cli->outstanding_requests == NULL) {
		TALLOC_FREE(req->cli->fd_event);
	}
	return 0;
}

/**
 * Is the SMB command able to hold an AND_X successor
 * @param[in] cmd	The SMB command in question
 * @retval Can we add a chained request after "cmd"?
 */

static bool is_andx_req(uint8_t cmd)
{
	switch (cmd) {
	case SMBtconX:
	case SMBlockingX:
	case SMBopenX:
	case SMBreadX:
	case SMBwriteX:
	case SMBsesssetupX:
	case SMBulogoffX:
	case SMBntcreateX:
		return true;
		break;
	default:
		break;
	}

	return false;
}

/**
 * @brief Find the smb_cmd offset of the last command pushed
 * @param[in] buf	The buffer we're building up
 * @retval		Where can we put our next andx cmd?
 *
 * While chaining requests, the "next" request we're looking at needs to put
 * its SMB_Command before the data the previous request already built up added
 * to the chain. Find the offset to the place where we have to put our cmd.
 */

static bool find_andx_cmd_ofs(char *buf, size_t *pofs)
{
	uint8_t cmd;
	size_t ofs;

	cmd = CVAL(buf, smb_com);

	SMB_ASSERT(is_andx_req(cmd));

	ofs = smb_vwv0;

	while (CVAL(buf, ofs) != 0xff) {

		if (!is_andx_req(CVAL(buf, ofs))) {
			return false;
		}

		/*
		 * ofs is from start of smb header, so add the 4 length
		 * bytes. The next cmd is right after the wct field.
		 */
		ofs = SVAL(buf, ofs+2) + 4 + 1;

		SMB_ASSERT(ofs+4 < talloc_get_size(buf));
	}

	*pofs = ofs;
	return true;
}

/**
 * @brief Destroy an async_req that is the visible part of a cli_request
 * @param[in] req	The request to kill
 * @retval Return 0 to make talloc happy
 *
 * This destructor is a bit tricky: Because a cli_request can host more than
 * one async_req for chained requests, we need to make sure that the
 * "cli_request" that we were part of is correctly destroyed at the right
 * time. This is done by NULLing out ourself from the "async" member of our
 * "cli_request". If there is none left, then also TALLOC_FREE() the
 * cli_request, which was a talloc child of the client connection cli_state.
 */

static int cli_async_req_destructor(struct async_req *req)
{
	struct cli_request *cli_req = talloc_get_type_abort(
		req->private_data, struct cli_request);
	int i, pending;
	bool found = false;

	pending = 0;

	for (i=0; i<cli_req->num_async; i++) {
		if (cli_req->async[i] == req) {
			cli_req->async[i] = NULL;
			found = true;
		}
		if (cli_req->async[i] != NULL) {
			pending += 1;
		}
	}

	SMB_ASSERT(found);

	if (pending == 0) {
		TALLOC_FREE(cli_req);
	}

	return 0;
}

/**
 * @brief Chain up a request
 * @param[in] mem_ctx		The TALLOC_CTX for the result
 * @param[in] ev		The event context that will call us back
 * @param[in] cli		The cli_state we queue the request up for
 * @param[in] smb_command	The command that we want to issue
 * @param[in] additional_flags	open_and_x wants to add oplock header flags
 * @param[in] wct		How many words?
 * @param[in] vwv		The words, already in network order
 * @param[in] num_bytes		How many bytes?
 * @param[in] bytes		The data the request ships
 *
 * cli_request_chain() is the core of the SMB request marshalling routine. It
 * will create a new async_req structure in the cli->chain_accumulator->async
 * array and marshall the smb_cmd, the vwv array and the bytes into
 * cli->chain_accumulator->outbuf.
 */

static struct async_req *cli_request_chain(TALLOC_CTX *mem_ctx,
					   struct event_context *ev,
					   struct cli_state *cli,
					   uint8_t smb_command,
					   uint8_t additional_flags,
					   uint8_t wct, const uint16_t *vwv,
					   uint16_t num_bytes,
					   const uint8_t *bytes)
{
	struct async_req **tmp_reqs;
	char *tmp_buf;
	struct cli_request *req;
	size_t old_size, new_size;
	size_t ofs;

	req = cli->chain_accumulator;

	tmp_reqs = TALLOC_REALLOC_ARRAY(req, req->async, struct async_req *,
					req->num_async + 1);
	if (tmp_reqs == NULL) {
		DEBUG(0, ("talloc failed\n"));
		return NULL;
	}
	req->async = tmp_reqs;
	req->num_async += 1;

	req->async[req->num_async-1] = async_req_new(mem_ctx, ev);
	if (req->async[req->num_async-1] == NULL) {
		DEBUG(0, ("async_req_new failed\n"));
		req->num_async -= 1;
		return NULL;
	}
	req->async[req->num_async-1]->private_data = req;
	req->async[req->num_async-1]->print = cli_request_print;
	talloc_set_destructor(req->async[req->num_async-1],
			      cli_async_req_destructor);

	old_size = talloc_get_size(req->outbuf);

	/*
	 * We need space for the wct field, the words, the byte count field
	 * and the bytes themselves.
	 */
	new_size = old_size + 1 + wct * sizeof(uint16_t) + 2 + num_bytes;

	if (new_size > 0xffff) {
		DEBUG(1, ("cli_request_chain: %u bytes won't fit\n",
			  (unsigned)new_size));
		goto fail;
	}

	tmp_buf = TALLOC_REALLOC_ARRAY(NULL, req->outbuf, char, new_size);
	if (tmp_buf == NULL) {
		DEBUG(0, ("talloc failed\n"));
		goto fail;
	}
	req->outbuf = tmp_buf;

	if (old_size == smb_wct) {
		SCVAL(req->outbuf, smb_com, smb_command);
	} else {
		size_t andx_cmd_ofs;
		if (!find_andx_cmd_ofs(req->outbuf, &andx_cmd_ofs)) {
			DEBUG(1, ("invalid command chain\n"));
			goto fail;
		}
		SCVAL(req->outbuf, andx_cmd_ofs, smb_command);
		SSVAL(req->outbuf, andx_cmd_ofs + 2, old_size - 4);
	}

	ofs = old_size;

	SCVAL(req->outbuf, ofs, wct);
	ofs += 1;

	memcpy(req->outbuf + ofs, vwv, sizeof(uint16_t) * wct);
	ofs += sizeof(uint16_t) * wct;

	SSVAL(req->outbuf, ofs, num_bytes);
	ofs += sizeof(uint16_t);

	memcpy(req->outbuf + ofs, bytes, num_bytes);

	return req->async[req->num_async-1];

 fail:
	TALLOC_FREE(req->async[req->num_async-1]);
	req->num_async -= 1;
	return NULL;
}

/**
 * @brief prepare a cli_state to accept a chain of requests
 * @param[in] cli	The cli_state we want to queue up in
 * @param[in] ev	The event_context that will call us back for the socket
 * @param[in] size_hint	How many bytes are expected, just an optimization
 * @retval Did we have enough memory?
 *
 * cli_chain_cork() sets up a new cli_request in cli->chain_accumulator. If
 * cli is used in an async fashion, i.e. if we have outstanding requests, then
 * we do not have to create a fd event. If cli is used only with the sync
 * helpers, we need to create the fd_event here.
 *
 * If you want to issue a chained request to the server, do a
 * cli_chain_cork(), then do you cli_open_send(), cli_read_and_x_send(),
 * cli_close_send() and so on. The async requests that come out of
 * cli_xxx_send() are normal async requests with the difference that they
 * won't be shipped individually. But the event_context will still trigger the
 * req->async.fn to be called on every single request.
 *
 * You have to take care yourself that you only issue chainable requests in
 * the middle of the chain.
 */

bool cli_chain_cork(struct cli_state *cli, struct event_context *ev,
		    size_t size_hint)
{
	struct cli_request *req = NULL;

	SMB_ASSERT(cli->chain_accumulator == NULL);

	if (cli->fd == -1) {
		DEBUG(10, ("cli->fd closed\n"));
		return false;
	}

	if (cli->fd_event == NULL) {
		SMB_ASSERT(cli->outstanding_requests == NULL);
		cli->fd_event = event_add_fd(ev, cli, cli->fd,
					     EVENT_FD_READ,
					     cli_state_handler, cli);
		if (cli->fd_event == NULL) {
			return false;
		}
	}

	req = talloc(cli, struct cli_request);
	if (req == NULL) {
		goto fail;
	}
	req->cli = cli;

	if (size_hint == 0) {
		size_hint = 100;
	}
	req->outbuf = talloc_array(req, char, smb_wct + size_hint);
	if (req->outbuf == NULL) {
		goto fail;
	}
	req->outbuf = TALLOC_REALLOC_ARRAY(NULL, req->outbuf, char, smb_wct);

	req->num_async = 0;
	req->async = NULL;

	req->enc_state = NULL;
	req->recv_helper.fn = NULL;

	SSVAL(req->outbuf, smb_tid, cli->cnum);
	cli_setup_packet_buf(cli, req->outbuf);

	req->mid = cli_new_mid(cli);
	SSVAL(req->outbuf, smb_mid, req->mid);

	cli->chain_accumulator = req;

	DEBUG(10, ("cli_chain_cork: mid=%d\n", req->mid));

	return true;
 fail:
	TALLOC_FREE(req);
	if (cli->outstanding_requests == NULL) {
		TALLOC_FREE(cli->fd_event);
	}
	return false;
}

/**
 * Ship a request queued up via cli_request_chain()
 * @param[in] cl	The connection
 */

void cli_chain_uncork(struct cli_state *cli)
{
	struct cli_request *req = cli->chain_accumulator;

	SMB_ASSERT(req != NULL);

	DLIST_ADD_END(cli->outstanding_requests, req, struct cli_request *);
	talloc_set_destructor(req, cli_request_destructor);

	cli->chain_accumulator = NULL;

	smb_setlen(req->outbuf, talloc_get_size(req->outbuf) - 4);

	cli_calculate_sign_mac(cli, req->outbuf);

	if (cli_encryption_on(cli)) {
		NTSTATUS status;
		char *enc_buf;

		status = cli_encrypt_message(cli, req->outbuf, &enc_buf);
		if (!NT_STATUS_IS_OK(status)) {
			DEBUG(0, ("Error in encrypting client message. "
				  "Error %s\n",	nt_errstr(status)));
			TALLOC_FREE(req);
			return;
		}
		req->outbuf = enc_buf;
		req->enc_state = cli->trans_enc_state;
	}

	req->sent = 0;

	event_fd_set_writeable(cli->fd_event);
}

/**
 * @brief Send a request to the server
 * @param[in] mem_ctx		The TALLOC_CTX for the result
 * @param[in] ev		The event context that will call us back
 * @param[in] cli		The cli_state we queue the request up for
 * @param[in] smb_command	The command that we want to issue
 * @param[in] additional_flags	open_and_x wants to add oplock header flags
 * @param[in] wct		How many words?
 * @param[in] vwv		The words, already in network order
 * @param[in] num_bytes		How many bytes?
 * @param[in] bytes		The data the request ships
 *
 * This is the generic routine to be used by the cli_xxx_send routines.
 */

struct async_req *cli_request_send(TALLOC_CTX *mem_ctx,
				   struct event_context *ev,
				   struct cli_state *cli,
				   uint8_t smb_command,
				   uint8_t additional_flags,
				   uint8_t wct, const uint16_t *vwv,
				   uint16_t num_bytes, const uint8_t *bytes)
{
	struct async_req *result;
	bool uncork = false;

	if (cli->chain_accumulator == NULL) {
		if (!cli_chain_cork(cli, ev,
				    wct * sizeof(uint16_t) + num_bytes + 3)) {
			DEBUG(1, ("cli_chain_cork failed\n"));
			return NULL;
		}
		uncork = true;
	}

	result = cli_request_chain(mem_ctx, ev, cli, smb_command,
				   additional_flags, wct, vwv,
				   num_bytes, bytes);

	if (result == NULL) {
		DEBUG(1, ("cli_request_chain failed\n"));
	}

	if (uncork) {
		cli_chain_uncork(cli);
	}

	return result;
}

/**
 * Figure out if there is an andx command behind the current one
 * @param[in] buf	The smb buffer to look at
 * @param[in] ofs	The offset to the wct field that is followed by the cmd
 * @retval Is there a command following?
 */

static bool have_andx_command(const char *buf, uint16_t ofs)
{
	uint8_t wct;
	size_t buflen = talloc_get_size(buf);

	if ((ofs == buflen-1) || (ofs == buflen)) {
		return false;
	}

	wct = CVAL(buf, ofs);
	if (wct < 2) {
		/*
		 * Not enough space for the command and a following pointer
		 */
		return false;
	}
	return (CVAL(buf, ofs+1) != 0xff);
}

/**
 * @brief Pull reply data out of a request
 * @param[in] req		The request that we just received a reply for
 * @param[out] pwct		How many words did the server send?
 * @param[out] pvwv		The words themselves
 * @param[out] pnum_bytes	How many bytes did the server send?
 * @param[out] pbytes		The bytes themselves
 * @retval Was the reply formally correct?
 */

NTSTATUS cli_pull_reply(struct async_req *req,
			uint8_t *pwct, uint16_t **pvwv,
			uint16_t *pnum_bytes, uint8_t **pbytes)
{
	struct cli_request *cli_req = talloc_get_type_abort(
		req->private_data, struct cli_request);
	uint8_t wct, cmd;
	uint16_t num_bytes;
	size_t wct_ofs, bytes_offset;
	int i, j;
	NTSTATUS status;

	for (i = 0; i < cli_req->num_async; i++) {
		if (req == cli_req->async[i]) {
			break;
		}
	}

	if (i == cli_req->num_async) {
		cli_set_error(cli_req->cli, NT_STATUS_INVALID_PARAMETER);
		return NT_STATUS_INVALID_PARAMETER;
	}

	/**
	 * The status we pull here is only relevant for the last reply in the
	 * chain.
	 */

	status = cli_pull_error(cli_req->inbuf);

	if (i == 0) {
		if (NT_STATUS_IS_ERR(status)
		    && !have_andx_command(cli_req->inbuf, smb_wct)) {
			cli_set_error(cli_req->cli, status);
			return status;
		}
		wct_ofs = smb_wct;
		goto done;
	}

	cmd = CVAL(cli_req->inbuf, smb_com);
	wct_ofs = smb_wct;

	for (j = 0; j < i; j++) {
		if (j < i-1) {
			if (cmd == 0xff) {
				return NT_STATUS_REQUEST_ABORTED;
			}
			if (!is_andx_req(cmd)) {
				return NT_STATUS_INVALID_NETWORK_RESPONSE;
			}
		}

		if (!have_andx_command(cli_req->inbuf, wct_ofs)) {
			/*
			 * This request was not completed because a previous
			 * request in the chain had received an error.
			 */
			return NT_STATUS_REQUEST_ABORTED;
		}

		wct_ofs = SVAL(cli_req->inbuf, wct_ofs + 3);

		/*
		 * Skip the all-present length field. No overflow, we've just
		 * put a 16-bit value into a size_t.
		 */
		wct_ofs += 4;

		if (wct_ofs+2 > talloc_get_size(cli_req->inbuf)) {
			return NT_STATUS_INVALID_NETWORK_RESPONSE;
		}

		cmd = CVAL(cli_req->inbuf, wct_ofs + 1);
	}

	if (!have_andx_command(cli_req->inbuf, wct_ofs)
	    && NT_STATUS_IS_ERR(status)) {
		/*
		 * The last command takes the error code. All further commands
		 * down the requested chain will get a
		 * NT_STATUS_REQUEST_ABORTED.
		 */
		return status;
	}

 done:
	wct = CVAL(cli_req->inbuf, wct_ofs);

	bytes_offset = wct_ofs + 1 + wct * sizeof(uint16_t);
	num_bytes = SVAL(cli_req->inbuf, bytes_offset);

	/*
	 * wct_ofs is a 16-bit value plus 4, wct is a 8-bit value, num_bytes
	 * is a 16-bit value. So bytes_offset being size_t should be far from
	 * wrapping.
	 */

	if ((bytes_offset + 2 > talloc_get_size(cli_req->inbuf))
	    || (bytes_offset > 0xffff)) {
		return NT_STATUS_INVALID_NETWORK_RESPONSE;
	}

	*pwct = wct;
	*pvwv = (uint16_t *)(cli_req->inbuf + wct_ofs + 1);
	*pnum_bytes = num_bytes;
	*pbytes = (uint8_t *)cli_req->inbuf + bytes_offset + 2;

	return NT_STATUS_OK;
}

/**
 * A PDU has arrived on cli->evt_inbuf
 * @param[in] cli	The cli_state that received something
 */

static void handle_incoming_pdu(struct cli_state *cli)
{
	struct cli_request *req;
	uint16_t mid;
	size_t raw_pdu_len, buf_len, pdu_len, rest_len;
	char *pdu;
	int i;
	NTSTATUS status;

	int num_async;

	/*
	 * The encrypted PDU len might differ from the unencrypted one
	 */
	raw_pdu_len = smb_len(cli->evt_inbuf) + 4;
	buf_len = talloc_get_size(cli->evt_inbuf);
	rest_len = buf_len - raw_pdu_len;

	if (buf_len == raw_pdu_len) {
		/*
		 * Optimal case: Exactly one PDU was in the socket buffer
		 */
		pdu = cli->evt_inbuf;
		cli->evt_inbuf = NULL;
	}
	else {
		DEBUG(11, ("buf_len = %d, raw_pdu_len = %d, splitting "
			   "buffer\n", (int)buf_len, (int)raw_pdu_len));

		if (raw_pdu_len < rest_len) {
			/*
			 * The PDU is shorter, talloc_memdup that one.
			 */
			pdu = (char *)talloc_memdup(
				cli, cli->evt_inbuf, raw_pdu_len);

			memmove(cli->evt_inbuf,	cli->evt_inbuf + raw_pdu_len,
				buf_len - raw_pdu_len);

			cli->evt_inbuf = TALLOC_REALLOC_ARRAY(
				NULL, cli->evt_inbuf, char, rest_len);

			if (pdu == NULL) {
				status = NT_STATUS_NO_MEMORY;
				goto invalidate_requests;
			}
		}
		else {
			/*
			 * The PDU is larger than the rest, talloc_memdup the
			 * rest
			 */
			pdu = cli->evt_inbuf;

			cli->evt_inbuf = (char *)talloc_memdup(
				cli, pdu + raw_pdu_len,	rest_len);

			if (cli->evt_inbuf == NULL) {
				status = NT_STATUS_NO_MEMORY;
				goto invalidate_requests;
			}
		}

	}

	/*
	 * TODO: Handle oplock break requests
	 */

	if (cli_encryption_on(cli) && CVAL(pdu, 0) == 0) {
		uint16_t enc_ctx_num;

		status = get_enc_ctx_num((uint8_t *)pdu, &enc_ctx_num);
		if (!NT_STATUS_IS_OK(status)) {
			DEBUG(10, ("get_enc_ctx_num returned %s\n",
				   nt_errstr(status)));
			goto invalidate_requests;
		}

		if (enc_ctx_num != cli->trans_enc_state->enc_ctx_num) {
			DEBUG(10, ("wrong enc_ctx %d, expected %d\n",
				   enc_ctx_num,
				   cli->trans_enc_state->enc_ctx_num));
			status = NT_STATUS_INVALID_HANDLE;
			goto invalidate_requests;
		}

		status = common_decrypt_buffer(cli->trans_enc_state,
					       pdu);
		if (!NT_STATUS_IS_OK(status)) {
			DEBUG(10, ("common_decrypt_buffer returned %s\n",
				   nt_errstr(status)));
			goto invalidate_requests;
		}
	}

	if (!cli_check_sign_mac(cli, pdu)) {
		DEBUG(10, ("cli_check_sign_mac failed\n"));
		status = NT_STATUS_ACCESS_DENIED;
		goto invalidate_requests;
	}

	mid = SVAL(pdu, smb_mid);

	DEBUG(10, ("handle_incoming_pdu: got mid %d\n", mid));

	for (req = cli->outstanding_requests; req; req = req->next) {
		if (req->mid == mid) {
			break;
		}
	}

	pdu_len = smb_len(pdu) + 4;

	if (req == NULL) {
		DEBUG(3, ("Request for mid %d not found, dumping PDU\n", mid));

		TALLOC_FREE(pdu);
		return;
	}

	req->inbuf = talloc_move(req, &pdu);

	/*
	 * Freeing the last async_req will free the req (see
	 * cli_async_req_destructor). So make a copy of req->num_async, we
	 * can't reference it in the last round.
	 */

	num_async = req->num_async;

	for (i=0; i<num_async; i++) {
		/**
		 * A request might have been talloc_free()'ed before we arrive
		 * here. It will have removed itself from req->async via its
		 * destructor cli_async_req_destructor().
		 */
		if (req->async[i] != NULL) {
			if (req->recv_helper.fn != NULL) {
				req->recv_helper.fn(req->async[i]);
			} else {
				async_req_done(req->async[i]);
			}
		}
	}
	return;

 invalidate_requests:

	DEBUG(10, ("handle_incoming_pdu: Aborting with %s\n",
		   nt_errstr(status)));

	for (req = cli->outstanding_requests; req; req = req->next) {
		async_req_error(req->async[0], status);
	}
	return;
}

/**
 * fd event callback. This is the basic connection to the socket
 * @param[in] event_ctx	The event context that called us
 * @param[in] event	The event that fired
 * @param[in] flags	EVENT_FD_READ | EVENT_FD_WRITE
 * @param[in] p		private_data, in this case the cli_state
 */

static void cli_state_handler(struct event_context *event_ctx,
			      struct fd_event *event, uint16 flags, void *p)
{
	struct cli_state *cli = (struct cli_state *)p;
	struct cli_request *req;
	NTSTATUS status;

	DEBUG(11, ("cli_state_handler called with flags %d\n", flags));

	if (flags & EVENT_FD_READ) {
		int res, available;
		size_t old_size, new_size;
		char *tmp;

		res = ioctl(cli->fd, FIONREAD, &available);
		if (res == -1) {
			DEBUG(10, ("ioctl(FIONREAD) failed: %s\n",
				   strerror(errno)));
			status = map_nt_error_from_unix(errno);
			goto sock_error;
		}

		if (available == 0) {
			/* EOF */
			status = NT_STATUS_END_OF_FILE;
			goto sock_error;
		}

		old_size = talloc_get_size(cli->evt_inbuf);
		new_size = old_size + available;

		if (new_size < old_size) {
			/* wrap */
			status = NT_STATUS_UNEXPECTED_IO_ERROR;
			goto sock_error;
		}

		tmp = TALLOC_REALLOC_ARRAY(cli, cli->evt_inbuf, char,
					   new_size);
		if (tmp == NULL) {
			/* nomem */
			status = NT_STATUS_NO_MEMORY;
			goto sock_error;
		}
		cli->evt_inbuf = tmp;

		res = recv(cli->fd, cli->evt_inbuf + old_size, available, 0);
		if (res == -1) {
			DEBUG(10, ("recv failed: %s\n", strerror(errno)));
			status = map_nt_error_from_unix(errno);
			goto sock_error;
		}

		DEBUG(11, ("cli_state_handler: received %d bytes, "
			   "smb_len(evt_inbuf) = %d\n", (int)res,
			   smb_len(cli->evt_inbuf)));

		/* recv *might* have returned less than announced */
		new_size = old_size + res;

		/* shrink, so I don't expect errors here */
		cli->evt_inbuf = TALLOC_REALLOC_ARRAY(cli, cli->evt_inbuf,
						      char, new_size);

		while ((cli->evt_inbuf != NULL)
		       && ((smb_len(cli->evt_inbuf) + 4) <= new_size)) {
			/*
			 * we've got a complete NBT level PDU in evt_inbuf
			 */
			handle_incoming_pdu(cli);
			new_size = talloc_get_size(cli->evt_inbuf);
		}
	}

	if (flags & EVENT_FD_WRITE) {
		size_t to_send;
		ssize_t sent;

		for (req = cli->outstanding_requests; req; req = req->next) {
			to_send = smb_len(req->outbuf)+4;
			if (to_send > req->sent) {
				break;
			}
		}

		if (req == NULL) {
			if (cli->fd_event != NULL) {
				event_fd_set_not_writeable(cli->fd_event);
			}
			return;
		}

		sent = send(cli->fd, req->outbuf + req->sent,
			    to_send - req->sent, 0);

		if (sent < 0) {
			status = map_nt_error_from_unix(errno);
			goto sock_error;
		}

		req->sent += sent;

		if (req->sent == to_send) {
			return;
		}
	}
	return;

 sock_error:
	for (req = cli->outstanding_requests; req; req = req->next) {
		int i;
		for (i=0; i<req->num_async; i++) {
			async_req_error(req->async[i], status);
		}
	}
	TALLOC_FREE(cli->fd_event);
	close(cli->fd);
	cli->fd = -1;
}