Fix 4 code bugs: substr off-by-one, HANDLE* cast, TOCTOU GetLastError, sun_path overflow (#14297)

Bug 1 - LxssHttpProxy.cpp: IPv6 substr extraction used wrong length
  calculation. substr(openBracket+1, closeBracket-1) is incorrect when
  openBracket > 0; fixed to substr(openBracket+1, closeBracket-openBracket-1).
  Also fixed empty-address guard to check closeBracket (not closeBracket-1).

Bug 2 - LxssUserSession.cpp: Two instances of reinterpret_cast<HANDLE*> in
  ScopedMultiRelay construction should be reinterpret_cast<HANDLE> (without
  the pointer). Other identical callsites in the same file already use the
  correct cast.

Bug 3 - LxssUserSession.cpp: GetLastError() was called unconditionally after
  CreateFileW, even on success. A stale ERROR_SHARING_VIOLATION from a prior
  API call could cause a false throw. Fixed to only check GetLastError() when
  CreateFileW fails (!vhd).

Bug 4 - plan9.cpp: sun_path bounds check used > instead of >= leaving no room
  for null terminator. Also added a post-split check to ensure the child name
  fits after splitting parent/child for long paths.

Co-authored-by: Ben Hillis <benhill@ntdev.microsoft.com>

Author: benhillis

src/linux/init/plan9.cpp

@@ -51,9 +51,9 @@ wil::unique_fd CreateUnixServerSocket(const char* path)
         }
     });
 
-    // Check if the path will fit in a sockaddr_un.
+    // Check if the path will fit in a sockaddr_un (with room for null terminator).
     std::string_view pathView{path};
-    if (pathView.length() > sizeof(sockaddr_un::sun_path))
+    if (pathView.length() >= sizeof(sockaddr_un::sun_path))
     {
         // It won't, so split the parent path and child name.
         auto index = pathView.find_last_of('/');
@@ -64,6 +64,9 @@ wil::unique_fd CreateUnixServerSocket(const char* path)
         const std::string parent{pathView.substr(0, index)};
         pathView = pathView.substr(index + 1);
 
+        // Ensure the child name fits in sun_path (with null terminator).
+        THROW_ERRNO_IF(ENAMETOOLONG, pathView.length() >= sizeof(sockaddr_un::sun_path));
+
         // Get the current working directory to restore it later, and change to the socket's parent
         // path.
         oldCwd = getcwd(oldCwdBuffer, sizeof(oldCwdBuffer));

src/windows/service/exe/LxssHttpProxy.cpp

@@ -327,12 +327,12 @@ try
     if (openBracket != ::std::wstring::npos)
     {
         const auto closeBracket = portRemoved.find_first_of(L"]");
-        if (closeBracket == ::std::wstring::npos || (openBracket + 1 >= closeBracket - 1))
+        if (closeBracket == ::std::wstring::npos || (openBracket + 1 >= closeBracket))
         {
             // no other of below checks can contain brackets
             return UnsupportedProxyReason::Supported;
         }
-        portRemoved = portRemoved.substr(openBracket + 1, closeBracket - 1);
+        portRemoved = portRemoved.substr(openBracket + 1, closeBracket - openBracket - 1);
     }
 
     in6_addr addrV6{};

src/windows/service/exe/LxssUserSession.cpp

@@ -1737,11 +1737,15 @@ try
     RETURN_HR_IF(WSL_E_DISTRO_NOT_STOPPED, m_runningInstances.contains(*DistroGuid));
 
     const wil::unique_hfile vhd{::CreateFileW(configuration.VhdFilePath.c_str(), GENERIC_WRITE, 0, nullptr, OPEN_EXISTING, 0, nullptr)};
-    if (const DWORD err = GetLastError(); err == ERROR_SHARING_VIOLATION)
+    if (!vhd)
     {
-        THROW_HR_WITH_USER_ERROR(HRESULT_FROM_WIN32(err), wsl::shared::Localization::MessageVhdInUse());
+        const DWORD err = GetLastError();
+        if (err == ERROR_SHARING_VIOLATION)
+        {
+            THROW_HR_WITH_USER_ERROR(HRESULT_FROM_WIN32(err), wsl::shared::Localization::MessageVhdInUse());
+        }
+        THROW_WIN32(err);
     }
-    THROW_LAST_ERROR_IF(!vhd);
 
     FILE_SET_SPARSE_BUFFER buffer{
         .SetSparse = Sparse,
@@ -1949,7 +1953,7 @@ HRESULT LxssUserSessionImpl::SetVersion(_In_ LPCGUID DistroGuid, _In_ ULONG Vers
             auto wsl1Pipe = wsl::windows::common::wslutil::OpenAnonymousPipe(LX_RELAY_BUFFER_SIZE, true, true);
 
             wsl::windows::common::relay::ScopedMultiRelay stdErrRelay(
-                std::vector<HANDLE>{wsl1Pipe.first.get(), reinterpret_cast<HANDLE*>(vmContext.errorSocket.get())}, onTarOutput);
+                std::vector<HANDLE>{wsl1Pipe.first.get(), reinterpret_cast<HANDLE>(vmContext.errorSocket.get())}, onTarOutput);
 
             // Add mounts for the rootfs and tools.
             auto mounts = _CreateSetupMounts(configuration);
@@ -2014,7 +2018,7 @@ HRESULT LxssUserSessionImpl::SetVersion(_In_ LPCGUID DistroGuid, _In_ ULONG Vers
             auto wsl1Pipe = wsl::windows::common::wslutil::OpenAnonymousPipe(LX_RELAY_BUFFER_SIZE, true, true);
 
             wsl::windows::common::relay::ScopedMultiRelay stdErrRelay(
-                std::vector<HANDLE>{wsl1Pipe.first.get(), reinterpret_cast<HANDLE*>(vmContext.errorSocket.get())}, onTarOutput);
+                std::vector<HANDLE>{wsl1Pipe.first.get(), reinterpret_cast<HANDLE>(vmContext.errorSocket.get())}, onTarOutput);
 
             // Add mounts for the rootfs and tools.
             auto mounts = _CreateSetupMounts(configuration);