We found a stack buffer overflow vulnerability at **A15 (**Firmware version V15.13.07.13).

Untitled

Untitled

In the handler function for action /goform/WifiBasicSet, the user-controlled string “wrlPwd_5g” is stored into “wl5g.extra.wpapsk_psk” via SetValue.

Untitled

Untitled

Then the string is loaded from “wl5g.extra.wpapsk_psk” and then stored into stack buffer wifi_buf_entry at /goform/WifiBasicGet. Because the length of “wrlPwd_5g” is not checked, the stack buffer can be overflowed if it is a large string.

Fix Suggestion

GetValue function should accept a length argument to avoid buffer overflow.