We found a stack buffer overflow vulnerability at **A15 (**Firmware version V15.13.07.13).
In the handler function for action /goform/WifiBasicSet, the user-controlled string “wrlPwd” is stored into “wl2g.extra.wpapsk_psk” via SetValue.
Then the string is loaded from “wl2g.extra.wpapsk_psk” and then stored into stack buffer wifi_buf_entry at /goform/WifiBasicGet. Because the length of “wrlPwd” is not checked, the stack buffer can be overflowed if it is a large string.
GetValue function should accept a length argument to avoid buffer overflow.