diff --git a/backport-fru-Fix-crashes-on-6-bit-ASCII-strings.patch b/backport-fru-Fix-crashes-on-6-bit-ASCII-strings.patch
new file mode 100644
index 0000000000000000000000000000000000000000..2d5ffbc18d1fa9917339dbf120f178699d02d768
--- /dev/null
+++ b/backport-fru-Fix-crashes-on-6-bit-ASCII-strings.patch
@@ -0,0 +1,33 @@
+From 1245aaa387dca1cb99408869b2c1b3e2410a1352 Mon Sep 17 00:00:00 2001
+From: Alexander Amelkin <alexander@amelkin.msk.ru>
+Date: Tue, 15 Sep 2020 16:49:20 +0300
+Subject: [PATCH] fru: Fix crashes on 6-bit ASCII strings
+
+Fix calculation of the buffer size for decoded 6-bit ASCII
+strings. Previously the program could allocate too a short buffer
+that caused buffer overflows and segmentation fault crashes on
+certain FRU contents.
+
+Signed-off-by: Alexander Amelkin <alexander@amelkin.msk.ru>
+---
+ lib/ipmi_fru.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
+index 501ef26..3d1d8a1 100644
+--- a/lib/ipmi_fru.c
++++ b/lib/ipmi_fru.c
+@@ -175,8 +175,8 @@ char * get_fru_area_str(uint8_t * data, uint32_t * offset)
+ 		size = (len * 2);
+ 		break;
+ 	case 2:           /* 10b: 6-bit ASCII */
+-		/* 4 chars per group of 1-3 bytes */
+-		size = (((len * 4 + 2) / 3) & ~3);
++		/* 4 chars per group of 1-3 bytes, round up to 4 bytes boundary */
++		size = (len / 3 + 1) * 4;
+ 		break;
+ 	case 3:           /* 11b: 8-bit ASCII */
+ 		/* no length adjustment */
+-- 
+2.20.1
+
diff --git a/ipmitool.spec b/ipmitool.spec
index f355f7bfd12fe738471bee09a7f7ca526cd55b5a..c5048a999f308df6b6e8f7a1c3023fb6ac2b05db 100644
--- a/ipmitool.spec
+++ b/ipmitool.spec
@@ -1,6 +1,6 @@
 Name:            ipmitool
 Version:         1.8.18
-Release:         21
+Release:         22
 Summary:         Utility for IPMI control
 License:         BSD
 URL:             https://codeberg.org/IPMITool/ipmitool
@@ -45,6 +45,7 @@ Patch6025:       ipmitool-CVE-2020-5208-Fix-id_string-buffer-overflows.patch
 Patch6026:       fix-variable-definition-error-with-gcc-10.patch
 Patch6027:       backport-lanplus-Realloc-the-msg-if-the-payload_length-gets-u.patch
 Patch6028:       backport-lan-channel-Fix-set-alert-on-off.patch
+Patch6029:       backport-fru-Fix-crashes-on-6-bit-ASCII-strings.patch
 
 BuildRequires:    openssl-devel readline-devel ncurses-devel 
 %{?systemd_requires}
@@ -173,6 +174,12 @@ install -Dm 755 contrib/bmc-snmp-proxy         %{buildroot}%{_libexecdir}/bmc-sn
 %{_mandir}/man8/ipmievd.8*
 
 %changelog
+* Mon Dec 04 2023 Huang Yang <huangyang@loongson.cn> - 1.8.18-22
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:Resolve malloc aborted error raised when executing ipmitool fru.
+
 * Wed May 31 2023 mengkanglai <mengkanglai2@huawei.com> - 1.8.18-21
 - Type:bugfix
 - ID:NA
@@ -185,7 +192,7 @@ install -Dm 755 contrib/bmc-snmp-proxy         %{buildroot}%{_libexecdir}/bmc-sn
 - SUG:NA
 - DESC:lan channel fix set alert on off and lanplus realloc the msg if the payload_length gets update
 
-* Fri Oct 21 2022 zhangjun <zhangjun@kylinos.cn> - 1.8.18-19
+* Mon Oct 31 2022 mengkanglai <mengkanglai2@huawei.com> - 1.8.18-19
 - Type:bugfix
 - ID:NA
 - SUG:NA
@@ -198,7 +205,7 @@ install -Dm 755 contrib/bmc-snmp-proxy         %{buildroot}%{_libexecdir}/bmc-sn
 - DESC:separate exchange-bmc-os-info,bmc-snmp-proxy from ipmitool
 
 * Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 1.8.18-17
-- DESC: delete -S git from autosetup, and delete BuildRequires git
+- DESC: delete -S git from %autosetup, and delete BuildRequires git
 
 * Fri Jul 30 2021 gaihuiying <gaihuiying1@huawei.com> - 1.8.18-16
 - Type:bugfix