diff --git a/0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch b/0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
new file mode 100644
index 0000000..23d43d7
--- /dev/null
+++ b/0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
@@ -0,0 +1,33 @@
+From 1b5e2423164b3670e8bc9174e4762d297990deff Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Thu, 14 Feb 2019 13:43:47 +0100
+Subject: [PATCH] brcmfmac: assure SSID length from firmware is limited
+
+The SSID length as received from firmware should not exceed
+IEEE80211_MAX_SSID_LEN as that would result in heap overflow.
+
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index b5e291ed9496..012275fc3bf7 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3507,6 +3507,8 @@ brcmf_wowl_nd_results(struct brcmf_if *ifp, const struct brcmf_event_msg *e,
+ 	}
+
+ 	netinfo = brcmf_get_netinfo_array(pfn_result);
++	if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
++		netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
+ 	memcpy(cfg->wowl.nd->ssid.ssid, netinfo->SSID, netinfo->SSID_len);
+ 	cfg->wowl.nd->ssid.ssid_len = netinfo->SSID_len;
+ 	cfg->wowl.nd->n_channels = 1;
+-- 
+2.20.1
+
diff --git a/kernel.spec b/kernel.spec
index d1aa2ed..df4743a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -631,6 +631,9 @@ Patch516: 0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch
 # CVE-2019-3882 rhbz 1689426 1695571
 Patch517: vfio-type1-limit-dma-mappings-per-container.patch
 
+# CVE-2019-9500 rhbz 1701224 1701226
+Patch518: 0001-brcmfmac-assure-SSID-length-from-firmware-is-limited.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1904,6 +1907,9 @@ fi
 #
 #
 %changelog
+* Thu Apr 18 2019 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2019-9500 (rhbz 1701224 1701226)
+
 * Wed Apr 17 2019 Laura Abbott <labbott@redhat.com> - 5.0.8-300
 - Linux v5.0.8