We found a stack buffer overflow vulnerability at **A15 (**Firmware version V15.13.07.13).
In the handler function for action /goform/WifiBasicSet, the user-controlled string “wrlPwd_5g” is stored into “wl5g.extra.wpapsk_psk” via SetValue.
Then the string is loaded from “wl5g.extra.wpapsk_psk” and then stored into stack buffer wifi_buf_entry at /goform/WifiBasicGet. Because the length of “wrlPwd_5g” is not checked, the stack buffer can be overflowed if it is a large string.
GetValue function should accept a length argument to avoid buffer overflow.