diff --git a/add-unit-test-for-dbus-broker.patch b/add-unit-test-for-dbus-broker.patch
index 9effae2..ea5068a 100644
--- a/add-unit-test-for-dbus-broker.patch
+++ b/add-unit-test-for-dbus-broker.patch
@@ -209,7 +209,7 @@ index 0000000..e287647
 +
 +        int i = 0;
 +        while (true) {
-+                list1 = extract_word_inlist(list1, &res);
++                list1 = extract_word_inlist(list1, &res, 1);
 +                if (!list1)
 +                        break;
 +                c_assert(!strcmp(res, res1[i++]));
@@ -217,7 +217,7 @@ index 0000000..e287647
 +
 +        i = 0;
 +        while (true) {
-+                list2 = extract_word_inlist(list2, &res);
++                list2 = extract_word_inlist(list2, &res, 3);
 +                if (!list2)
 +                        break;
 +                c_assert(!strcmp(res, res2[i++]));
diff --git a/dbus-broker.spec b/dbus-broker.spec
index 088ef1d..01b4729 100644
--- a/dbus-broker.spec
+++ b/dbus-broker.spec
@@ -1,6 +1,6 @@
 Name:     dbus-broker
 Version:  29
-Release:  8
+Release:  9
 Summary:  Linux D-Bus Message Broker
 License:  Apache License 2.0
 URL:      https://github.com/bus1/dbus-broker
@@ -95,6 +95,9 @@ fi
 %{_userunitdir}/dbus-broker.service
 
 %changelog
+* Sat Oct 7 2023 hongjinghao<hongjinghao@huawei.com> - 29-9
+- Fix buffer leakage
+
 * Wed Aug 9 2023 hongjinghao<hongjinghao@huawei.com> - 29-8
 - sync patches from dbus-broker community
 
diff --git a/enable-dbus-broker-to-reexecute.patch b/enable-dbus-broker-to-reexecute.patch
index 8b6fa2c..2fd4591 100644
--- a/enable-dbus-broker-to-reexecute.patch
+++ b/enable-dbus-broker-to-reexecute.patch
@@ -864,7 +864,7 @@ index ce4584c..3f72dbf 100644
 +                                               SASL_LENGTH_MAX};
 +        for (int i = 0; i < _PEER_INDEX_MAX; i++) {
 +                char *tmp_str = malloc(tmp_str_length[i]);
-+                peer_str = extract_word_inlist(peer_str, &tmp_str);
++                peer_str = extract_word_inlist(peer_str, &tmp_str, tmp_str_length[i]);
 +                if (strlen(tmp_str) <= 0) {
 +                        return error_origin(-EINVAL);
 +                }
@@ -2075,7 +2075,7 @@ index dfbdced..4016f98 100644
 +@ret: value between ";""
 +input example: 1;2;3
 +output example: 1 => 2 => 3 (one by one) */
-+char *extract_word_inlist(char *string, char **ret) {
++char *extract_word_inlist(char *string, char **ret, int ret_length) {
 +        int i = 0, length = strlen(string);
 +        bool found_value = false;
 +        while (i < length) {
@@ -2092,7 +2092,7 @@ index dfbdced..4016f98 100644
 +                }
 +                i++;
 +        }
-+        if (!found_value) {
++        if (!found_value || ret_length < i) {
 +                **ret = 0;
 +                return NULL;
 +        }
@@ -2143,7 +2143,7 @@ index 14f7171..f1c7d10 100644
  int util_strtou32(uint32_t *valp, const char *string);
  int util_strtou64(uint64_t *valp, const char *string);
 +void generate_args_string(bool valid_arg, char **ret, int size, int *cur_i, char *option, char *val);
-+char *extract_word_inlist(char *string, char **ret);
++char *extract_word_inlist(char *string, char **ret, int ret_length);
 +char *extract_list_element(char *string, char **ret);
  
  /**