CVE-2026-23447

In the Linux kernel, the following vulnerability has been resolved:

net: usb: cdc ncm: add ndpoffset to NDP32 nframes bounds check

The same bounds-check bug fixed for NDP16 in the previous patch also exists in cdc ncm rx verify ndp32(). The DPE array size is validated against the total skb length without accounting for ndpoffset, allowing out-of-bounds reads when the NDP32 is placed near the end of the NTB.

Add ndpoffset to the nframes bounds check and use struct size t() to express the NDP-plus-DPE-array size more clearly.

Compile-tested only.