/* Reduced from false positive in Linux kernel
   in drivers/char/ipmi/ipmi_devintf.c.  */

/* { dg-do compile } */
/* { dg-options "-fanalyzer -O2 -Wno-attributes" } */
/* { dg-require-effective-target analyzer } */

typedef __SIZE_TYPE__ size_t;
extern void
__check_object_size(const void* ptr, unsigned long n);

extern unsigned long
copy_from_user(void*, const void*, unsigned long);

__attribute__((__always_inline__)) unsigned long
call_copy_from_user(void* to, const void* from, unsigned long n)
{
  __check_object_size(to, n);
  n = copy_from_user(to, from, n); /* { dg-bogus "use of attacker-controlled value as size without upper-bounds checking" } */
  return n;
}
struct ipmi_msg
{
  unsigned short data_len;
  unsigned char* data;
};

static int
handle_send_req(struct ipmi_msg* msg)
{
  char buf[273];
  if (msg->data_len > 272) {
    return -90;
  }
  if (call_copy_from_user(buf, msg->data, msg->data_len)) {
    return -14;
  }
  return 0;
}
long
ipmi_ioctl(void* arg)
{
  struct ipmi_msg msg;
  if (call_copy_from_user(&msg, arg, sizeof(msg))) {
    return -14;
  }

  return handle_send_req(&msg);
}