fix(hci/gap): bound extended adv EIR to Data_Length and harden malformed service-data parsing

[peterneutron]

Summary

Follow-up to #64

This fixes an extended advertising parsing issue where the current report's EIR payload was not bounded to its declared Data_Length. When multiple extended advertising reports are included in a single HCI event, bytes from the next report could be passed into gap.js as if they belonged to the current report.

It also hardens gap.js service-data parsing so malformed/truncated service-data AD fields do not crash parsing.

What changed

lib/hci-socket/hci.js

• Bound the extended advertising EIR slice to eirLength
  • from data.slice(24)
  • to data.slice(24, 24 + eirLength)
• Kept malformed packet guards for:
  • short report headers (data.length < 24)
  • truncated EIR payloads (data.length < 24 + eirLength)
• Moved this.emit('leExtendedAdvertisingReport', ...) outside the parser try/catch
  • parser errors remain labeled as malformed packet issues
  • downstream listener errors are no longer misattributed as HCI parser overflows

lib/hci-socket/gap.js

• Added a guard for service-data AD types (0x16, 0x20, 0x21) so UUID parsing only runs when the payload is at least the required UUID length
• Malformed/truncated service-data entries are skipped instead of throwing

Why this is safe

• Extended advertising reports already carry Data_Length; bounding the EIR slice to that length matches the report framing
• For service-data AD fields, the UUID is mandatory, so a payload shorter than the UUID length is malformed
• Valid UUID-only service-data fields (empty service payload) still work

Validation

• Local test suite passes
• Long-running scan churn reproduction on Linux no longer reproduced the null.reverse() failure after applying the fix