We found a stack buffer overflow vulnerability at **A15 (**Firmware version V15.13.07.13).

Untitled

In the handler function for action /goform/WifiBasicSet, the user-controlled string “wrlEn” is stored into “wl2g.enable” via SetValue.

Untitled

Untitled

Then the string is loaded from “wl2g.enable” and then stored into stack buffer wl2g_enable at /goform/WifiBasicGet. Because the length of “wrlEn” is not checked, the stack buffer can be overflowed if it is a large string.

Fix Suggestion

GetValue function should accept a length argument to avoid buffer overflow.