From 05c283246c5c30c50bf0f4f58602e0b3a55c9980 Mon Sep 17 00:00:00 2001
From: Andrew Talbot <andrew.talbot@talbotville.com>
Date: Mon, 19 Jan 2009 17:34:54 +0000
Subject: [PATCH] netapi32: Fix some limits and bounds checking.

---
 dlls/netapi32/nbt.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/dlls/netapi32/nbt.c b/dlls/netapi32/nbt.c
index 8db87b4b9de..5042baabc97 100644
--- a/dlls/netapi32/nbt.c
+++ b/dlls/netapi32/nbt.c
@@ -103,8 +103,8 @@ WINE_DEFAULT_DEBUG_CHANNEL(netbios);
 #define MIN_CACHE_TIMEOUT   60000
 #define CACHE_TIMEOUT       360000
 
-#define MAX_NBT_NAME_SZ (NCBNAMSZ * 2 + MAX_DOMAIN_NAME_LEN + 2)
-#define SIMPLE_NAME_QUERY_PKT_SIZE 26 + MAX_NBT_NAME_SZ
+#define MAX_NBT_NAME_SZ            255
+#define SIMPLE_NAME_QUERY_PKT_SIZE 16 + MAX_NBT_NAME_SZ
 
 #define DEFAULT_NBT_SESSIONS 16
 
@@ -156,7 +156,7 @@ static DWORD gWINSQueries;
 static DWORD gWINSQueryTimeout;
 static DWORD gWINSServers[MAX_WINS_SERVERS];
 static int   gNumWINSServers;
-static char  gScopeID[MAX_DOMAIN_NAME_LEN];
+static char  gScopeID[MAX_SCOPE_ID_LEN];
 static DWORD gCacheTimeout;
 static struct NBNameCache *gNameCache;
 
@@ -1493,7 +1493,7 @@ void NetBTInit(void)
          (LPBYTE)&dword, &size) == ERROR_SUCCESS && dword >= MIN_QUERY_TIMEOUT
          && dword <= MAX_QUERY_TIMEOUT)
             gWINSQueryTimeout = dword;
-        size = MAX_DOMAIN_NAME_LEN - 1;
+        size = sizeof(gScopeID) - 1;
         if (RegQueryValueExW(hKey, ScopeIDW, NULL, NULL, (LPBYTE)gScopeID + 1, &size)
          == ERROR_SUCCESS)
         {
@@ -1501,11 +1501,11 @@ void NetBTInit(void)
                NetBTNameEncode */
             char *ptr, *lenPtr;
 
-            for (ptr = gScopeID + 1; *ptr &&
-             ptr - gScopeID < MAX_DOMAIN_NAME_LEN; )
+            for (ptr = gScopeID + 1; ptr - gScopeID < sizeof(gScopeID) && *ptr; )
             {
-                for (lenPtr = ptr - 1, *lenPtr = 0; *ptr && *ptr != '.' &&
-                 ptr - gScopeID < MAX_DOMAIN_NAME_LEN; ptr++)
+                for (lenPtr = ptr - 1, *lenPtr = 0;
+                     ptr - gScopeID < sizeof(gScopeID) && *ptr && *ptr != '.';
+                     ptr++)
                     *lenPtr += 1;
                 ptr++;
             }