The nframes bounds check in cdc_ncm_rx_fixup() validates that the NDP
fits within the skb, but omits ndpoffset from the calculation. This
allows a malicious USB device to place a valid-looking NDP at a large
offset near the end of the skb, where the frame entries extend past the
skb boundary, causing an out-of-bounds read when iterating the NDP
entries.

Fix by including ndpoffset in the size comparison, so the check
correctly verifies that the entire NDP (header + frame entries) starting
at ndpoffset fits within skb->len.

Also use struct_size_t() for the NDP size calculation instead of manual
sizeof() arithmetic, as suggested by review.

Changes since v1:
- Split into two patches with separate Fixes tags for NDP16 and NDP32
- Use struct_size_t() instead of manual sizeof() + count * sizeof()
- Verified fix prevents out-of-bounds read via fuzzer regression test

tobgaertner (2):
  net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
  net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check

 drivers/net/usb/cdc_ncm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

-- 
2.43.0