/* { dg-do compile } */
// TODO: remove need for -fanalyzer-checker=taint here:
/* { dg-options "-fanalyzer -fanalyzer-checker=taint" } */
/* { dg-require-effective-target analyzer } */

/* See notes in this header.  */
#include "taint-CVE-2011-0521.h"

// TODO: remove need for this option
/* { dg-additional-options "-fanalyzer-checker=taint" } */

/* Adapted from drivers/media/dvb/ttpci/av7110_ca.c  */

int dvb_ca_ioctl(struct file *file, unsigned int cmd, void *parg)
{
	struct dvb_device *dvbdev = file->private_data;
	struct av7110 *av7110 = dvbdev->priv;
	unsigned long arg = (unsigned long) parg;

	/* case CA_GET_SLOT_INFO:  */
	{
		ca_slot_info_t *info=(ca_slot_info_t *)parg;

		if (info->num < 0 || info->num > 1)
			return -EINVAL;
		av7110->ci_slot[info->num].num = info->num; /* { dg-bogus "attacker-controlled value" } */
		av7110->ci_slot[info->num].type = FW_CI_LL_SUPPORT(av7110->arm_app) ?
							CA_CI_LINK : CA_CI;
		memcpy(info, &av7110->ci_slot[info->num], sizeof(ca_slot_info_t));
	}
	return 0;
}

/* Adapted from drivers/media/dvb/dvb-core/dvbdev.c
   Further simplified from -2; always use an on-stack buffer.  */

static DEFINE_MUTEX(dvbdev_mutex);

int dvb_usercopy(struct file *file,
		 unsigned int cmd, unsigned long arg)
{
	char    sbuf[128];
	void    *parg = sbuf;
	int     err = -EFAULT;
	if (copy_from_user(parg, (void __user *)arg, sizeof(sbuf)))
	  goto out;

	mutex_lock(&dvbdev_mutex);
	if ((err = dvb_ca_ioctl(file, cmd, parg)) == -ENOIOCTLCMD)
		err = -EINVAL;
	mutex_unlock(&dvbdev_mutex);

	if (err < 0)
		goto out;

	if (copy_to_user((void __user *)arg, parg, sizeof(sbuf)))
	  err = -EFAULT;

out:
	return err;
}