moguriso
commented
7 years ago I could make sure same issue is occurred.
adachi@raspberrypi:~ $ sudo ./main-linux-arm 2016/12/13 09:52:36 dev: hci0 up 2016/12/13 09:52:36 dev: hci0 down 2016/12/13 09:52:36 dev: hci0 opened Scanning...
<---- waiting for just a second ---->
panic: runtime error: slice bounds out of range
goroutine 40 [running]: panic(0x310c88, 0x1070a018) /usr/lib/go/src/runtime/panic.go:481 +0x330 github.com/paypal/gatt.(Advertisement).unmarshall(0x107fa050, 0x1070e24e, 0x11, 0x11, 0x0, 0x0) ./vendor/src/github.com/paypal/gatt/adv.go:99 +0xd14 github.com/paypal/gatt.(device).Init.func3(0x107cc0c0) ./vendor/src/github.com/paypal/gatt/device_linux.go:97 +0x74 github.com/paypal/gatt/linux.(HCI).handleAdvertisement(0x107625c0, 0x107e8243, 0xc, 0xc) ./vendor/src/github.com/paypal/gatt/linux/hci.go:262 +0x378 created by github.com/paypal/gatt/linux.(HCI).handleLEMeta ./vendor/src/github.com/paypal/gatt/linux/hci.go:359 +0xc4
And confirmed this issue is fixed with this patch. I've checked into bluetooth kernel driver, probably b[] array is returned from the following function.
linux/net/bluetooth/hci_event.c
4899 static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
4900 {
4901 u8 num_reports = skb->data[0];
4902 void *ptr = &skb->data[1];
4903
4904 hci_dev_lock(hdev);
4905
4906 while (num_reports--) {
4907 struct hci_ev_le_advertising_info *ev = ptr;
Minimum value of "num_reports" seems "1". Therefore this patch is looks good to me. How do you think folks?
Without this validation, "panic: runtime error: slice bounds out of range" may happen. I added validation which ensure length should not be less than 1.