diff --git a/SOURCES/0001-client-tx-hold-range.patch b/SOURCES/0001-client-tx-hold-range.patch
new file mode 100644
index 0000000..756878a
--- /dev/null
+++ b/SOURCES/0001-client-tx-hold-range.patch
@@ -0,0 +1,96 @@
+From 7b9abb819337dd50583350105afbdc82302f00ff Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Wed, 10 Jul 2024 15:32:01 +0800
+Subject: [PATCH 1/2] client: add range restriction for tx hold and interval
+
+Based on IEEE 802.1AB(2016) 9.2.5. The valid range of tx hold is 1-100,
+the valid range of tx interval is 1-3600.
+
+Reported-by: Matt Lucius <malucius@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+---
+ src/client/lldpcli.8.in | 15 ++++++++-------
+ src/lib/atoms/config.c  | 13 +++++++++----
+ 2 files changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/src/client/lldpcli.8.in b/src/client/lldpcli.8.in
+index 74a07eb4b806..39f936d1ceae 100644
+--- a/src/client/lldpcli.8.in
++++ b/src/client/lldpcli.8.in
+@@ -555,8 +555,8 @@ Force port description to the provided string.
+ .Cd lldp tx-interval Ar interval
+ .Bd -ragged -offset XXXXXX
+ Change transmit delay to the specified value in seconds. The transmit
+-delay is the delay between two transmissions of LLDP PDU. The default
+-value is 30 seconds. Note:
++delay is the delay between two transmissions of LLDP PDU. The valid range
++is 1 through 3600 in seconds. The default value is 30 seconds. Note:
+ .Nm lldpd
+ also starts another system based refresh timer on each port to detect
+ changes such as a hostname. This is the value of the tx-interval
+@@ -576,8 +576,8 @@ system capabilities and CPU speed.
+ .Bd -ragged -offset XXXXXX
+ Change transmit hold value to the specified value. This value is used
+ to compute the TTL of transmitted packets which is the product of this
+-value and of the transmit delay. The default value is 4 and therefore
+-the default TTL is 120 seconds.
++value and of the transmit delay. The valid range is 1 through 100. The
++default value is 4 and therefore the default TTL is 120 seconds.
+ .Ed
+ 
+ .Cd configure
+@@ -676,9 +676,10 @@ to shorten the interval between two LLDPDU.
+ .Cd enable
+ should enable LLDP-MED fast start while
+ .Cd tx-interval
+-specifies the interval between two LLDPDU in seconds. The default
+-interval is 1 second. Once 4 LLDPDU have been sent, the fast start
+-mechanism is disabled until a new neighbor is detected.
++specifies the interval between two LLDPDU in seconds. The valid interval
++range is 1 through 3600 in seconds. The default interval is 1 second. Once
++4 LLDPDU have been sent, the fast start mechanism is disabled until a new
++neighbor is detected.
+ .Ed
+ 
+ .Cd unconfigure med fast-start
+diff --git a/src/lib/atoms/config.c b/src/lib/atoms/config.c
+index 8a4af2e8d1cd..305b5861de6e 100644
+--- a/src/lib/atoms/config.c
++++ b/src/lib/atoms/config.c
+@@ -262,11 +262,13 @@ _lldpctl_atom_set_int_config(lldpctl_atom_t *atom, lldpctl_key_t key, long int v
+ 		break;
+ 	case lldpctl_k_config_tx_interval:
+ 		config.c_tx_interval = value * 1000;
+-		if (value > 0) c->config->c_tx_interval = value * 1000;
++		if (value > 0 && value <= 3600 * 1000)
++			c->config->c_tx_interval = value * 1000;
+ 		break;
+ 	case lldpctl_k_config_tx_interval_ms:
+ 		config.c_tx_interval = value;
+-		if (value > 0) c->config->c_tx_interval = value;
++		if (value > 0 && value <= 3600 * 1000)
++			c->config->c_tx_interval = value;
+ 		break;
+ 	case lldpctl_k_config_ifdescr_update:
+ 		config.c_set_ifdescr = c->config->c_set_ifdescr = value;
+@@ -288,12 +290,15 @@ _lldpctl_atom_set_int_config(lldpctl_atom_t *atom, lldpctl_key_t key, long int v
+ 		config.c_enable_fast_start = c->config->c_enable_fast_start = value;
+ 		break;
+ 	case lldpctl_k_config_fast_start_interval:
+-		config.c_tx_fast_interval = c->config->c_tx_fast_interval = value;
++		config.c_tx_fast_interval = value;
++		if (value > 0 && value <= 3600)
++			c->config->c_tx_fast_interval = value;
+ 		break;
+ #endif
+ 	case lldpctl_k_config_tx_hold:
+ 		config.c_tx_hold = value;
+-		if (value > 0) c->config->c_tx_hold = value;
++		if (value > 0 && value <= 100)
++			c->config->c_tx_hold = value;
+ 		break;
+ 	case lldpctl_k_config_max_neighbors:
+ 		config.c_max_neighbors = value;
+-- 
+2.46.0
+
diff --git a/SOURCES/0002-lldpd-limit-tx-ttl-to-65535.patch b/SOURCES/0002-lldpd-limit-tx-ttl-to-65535.patch
new file mode 100644
index 0000000..fe4276f
--- /dev/null
+++ b/SOURCES/0002-lldpd-limit-tx-ttl-to-65535.patch
@@ -0,0 +1,72 @@
+From a73e04f46ebe3d5e9d0805c52b9e5d0472e65069 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Wed, 10 Jul 2024 15:49:32 +0800
+Subject: [PATCH 2/2] lldpd: limit tx ttl to 65535
+
+Based on IEEE 802.1AB(2016) 9.2.5.22 txTTL:
+  During normal operation, txTTL is set to whichever is the smaller of the
+  values represented by Equation (1) and Equation (2):
+      (msgTxInterval x msgTxHold) + 1   (1)
+      65535                             (2)
+
+Reported-by: Matt Lucius <malucius@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+---
+ src/daemon/client.c | 5 +++--
+ src/daemon/lldpd.c  | 3 ++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/daemon/client.c b/src/daemon/client.c
+index d9d907fd74dc..c4894ac112ea 100644
+--- a/src/daemon/client.c
++++ b/src/daemon/client.c
+@@ -18,6 +18,7 @@
+ #include "lldpd.h"
+ #include "trace.h"
+ 
++#include <sys/param.h>
+ #include <sys/utsname.h>
+ 
+ static ssize_t
+@@ -80,7 +81,7 @@ client_handle_set_configuration(struct lldpd *cfg, enum hmsg_type *type, void *i
+ 			cfg->g_config.c_tx_interval = config->c_tx_interval;
+ 			cfg->g_config.c_ttl =
+ 			    cfg->g_config.c_tx_interval * cfg->g_config.c_tx_hold;
+-			cfg->g_config.c_ttl = (cfg->g_config.c_ttl + 999) / 1000;
++			cfg->g_config.c_ttl = MIN((cfg->g_config.c_ttl + 999) / 1000, 65535);
+ 		}
+ 		levent_send_now(cfg);
+ 	}
+@@ -90,7 +91,7 @@ client_handle_set_configuration(struct lldpd *cfg, enum hmsg_type *type, void *i
+ 		cfg->g_config.c_tx_hold = config->c_tx_hold;
+ 		cfg->g_config.c_ttl =
+ 		    cfg->g_config.c_tx_interval * cfg->g_config.c_tx_hold;
+-		cfg->g_config.c_ttl = (cfg->g_config.c_ttl + 999) / 1000;
++		cfg->g_config.c_ttl = MIN((cfg->g_config.c_ttl + 999) / 1000, 65535);
+ 	}
+ 	if (CHANGED(c_max_neighbors) && config->c_max_neighbors > 0) {
+ 		log_debug("rpc", "client change maximum neighbors to %d",
+diff --git a/src/daemon/lldpd.c b/src/daemon/lldpd.c
+index 6b5721e2e336..c3b67c6dfeb2 100644
+--- a/src/daemon/lldpd.c
++++ b/src/daemon/lldpd.c
+@@ -28,6 +28,7 @@
+ #include <time.h>
+ #include <libgen.h>
+ #include <assert.h>
++#include <sys/param.h>
+ #include <sys/utsname.h>
+ #include <sys/types.h>
+ #include <sys/wait.h>
+@@ -1932,7 +1933,7 @@ lldpd_main(int argc, char *argv[], char *envp[])
+ 	cfg->g_config.c_tx_interval = LLDPD_TX_INTERVAL * 1000;
+ 	cfg->g_config.c_tx_hold = LLDPD_TX_HOLD;
+ 	cfg->g_config.c_ttl = cfg->g_config.c_tx_interval * cfg->g_config.c_tx_hold;
+-	cfg->g_config.c_ttl = (cfg->g_config.c_ttl + 999) / 1000;
++	cfg->g_config.c_ttl = MIN((cfg->g_config.c_ttl + 999) / 1000, 65535);
+ 	cfg->g_config.c_max_neighbors = LLDPD_MAX_NEIGHBORS;
+ #ifdef ENABLE_LLDPMED
+ 	cfg->g_config.c_enable_fast_start = enable_fast_start;
+-- 
+2.46.0
+
diff --git a/SOURCES/0003-lldpd-fix-ttl-range.patch b/SOURCES/0003-lldpd-fix-ttl-range.patch
new file mode 100644
index 0000000..f7071f1
--- /dev/null
+++ b/SOURCES/0003-lldpd-fix-ttl-range.patch
@@ -0,0 +1,83 @@
+From 54c057d1190d4405d66e752dff789a01b8612f9b Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 2 Dec 2024 14:33:16 +0800
+Subject: [PATCH 3/4] lldpd: fix ttl range on ports
+
+In the following fixed commit, I forgot to fix the ttl range for
+interfaces/ports.
+
+Fixes: a73e04f46ebe ("lldpd: limit tx ttl to 65535")
+Reported-by: Fei Liu <feliu@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+---
+ src/client/display.c         | 3 ++-
+ src/daemon/protocols/edp.c   | 3 ++-
+ src/daemon/protocols/sonmp.c | 3 ++-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/client/display.c b/src/client/display.c
+index 6b23ec5b9e33..978accf02eae 100644
+--- a/src/client/display.c
++++ b/src/client/display.c
+@@ -21,6 +21,7 @@
+ #include <ctype.h>
+ #include <time.h>
+ #include <errno.h>
++#include <sys/param.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+ #include <sys/un.h>
+@@ -599,7 +600,7 @@ display_local_ttl(struct writer *w, lldpctl_conn_t *conn, int details)
+ 	tx_interval =
+ 	    lldpctl_atom_get_int(configuration, lldpctl_k_config_tx_interval_ms);
+ 
+-	tx_interval = (tx_interval * tx_hold + 999) / 1000;
++	tx_interval = MIN((tx_interval * tx_hold + 999) / 1000, 65535);
+ 
+ 	if (asprintf(&ttl, "%lu", tx_interval) == -1) {
+ 		log_warnx("lldpctl", "not enough memory to build TTL.");
+diff --git a/src/daemon/protocols/edp.c b/src/daemon/protocols/edp.c
+index b55130b54806..773d210653f6 100644
+--- a/src/daemon/protocols/edp.c
++++ b/src/daemon/protocols/edp.c
+@@ -25,6 +25,7 @@
+ #  include <errno.h>
+ #  include <arpa/inet.h>
+ #  include <fnmatch.h>
++#  include <sys/param.h>
+ 
+ static int seq = 0;
+ 
+@@ -296,7 +297,7 @@ edp_decode(struct lldpd *cfg, char *frame, int s, struct lldpd_hardware *hardwar
+ 		goto malformed;
+ 	}
+ 	port->p_ttl = cfg ? cfg->g_config.c_tx_interval * cfg->g_config.c_tx_hold : 0;
+-	port->p_ttl = (port->p_ttl + 999) / 1000;
++	port->p_ttl = MIN((port->p_ttl + 999) / 1000, 65535);
+ 	chassis->c_id_subtype = LLDP_CHASSISID_SUBTYPE_LLADDR;
+ 	chassis->c_id_len = ETHER_ADDR_LEN;
+ 	if ((chassis->c_id = (char *)malloc(ETHER_ADDR_LEN)) == NULL) {
+diff --git a/src/daemon/protocols/sonmp.c b/src/daemon/protocols/sonmp.c
+index ddc2771d75c1..59636262ed28 100644
+--- a/src/daemon/protocols/sonmp.c
++++ b/src/daemon/protocols/sonmp.c
+@@ -24,6 +24,7 @@
+ #  include <unistd.h>
+ #  include <errno.h>
+ #  include <arpa/inet.h>
++#  include <sys/param.h>
+ 
+ static struct sonmp_chassis sonmp_chassis_types[] = {
+ 	{ 1, "unknown (via SONMP)" },
+@@ -369,7 +370,7 @@ sonmp_decode(struct lldpd *cfg, char *frame, int s, struct lldpd_hardware *hardw
+ 	TAILQ_INSERT_TAIL(&chassis->c_mgmt, mgmt, m_entries);
+ 	port->p_ttl =
+ 	    cfg ? (cfg->g_config.c_tx_interval * cfg->g_config.c_tx_hold) : LLDPD_TTL;
+-	port->p_ttl = (port->p_ttl + 999) / 1000;
++	port->p_ttl = MIN((port->p_ttl + 999) / 1000, 65535);
+ 
+ 	port->p_id_subtype = LLDP_PORTID_SUBTYPE_LOCAL;
+ 
+-- 
+2.39.5 (Apple Git-154)
+
diff --git a/SOURCES/0004-client-fix-tx-hold.patch b/SOURCES/0004-client-fix-tx-hold.patch
new file mode 100644
index 0000000..fd1edf0
--- /dev/null
+++ b/SOURCES/0004-client-fix-tx-hold.patch
@@ -0,0 +1,41 @@
+From 7de43fe8b8993f01422cfc00dfb06bcaf5171eb0 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 2 Dec 2024 14:34:44 +0800
+Subject: [PATCH 4/4] client: fix global tx hold and interval setting
+
+In the following fixed commit, I forgot to fix the transmission (tx) hold
+and interval range in the global configuration setting.
+
+Fixes: 7b9abb819337 ("client: add range restriction for tx hold and interval")
+Reported-by: Fei Liu <feliu@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+---
+ src/daemon/client.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/daemon/client.c b/src/daemon/client.c
+index 2112bdea6bef..091e1f4e4648 100644
+--- a/src/daemon/client.c
++++ b/src/daemon/client.c
+@@ -75,7 +75,7 @@ client_handle_set_configuration(struct lldpd *cfg, enum hmsg_type *type, void *i
+ 	if (CHANGED(c_tx_interval) && config->c_tx_interval != 0) {
+ 		if (config->c_tx_interval < 0) {
+ 			log_debug("rpc", "client asked for immediate retransmission");
+-		} else {
++		} else if (config->c_tx_interval <= 3600 * 1000) {
+ 			log_debug("rpc", "client change transmit interval to %d ms",
+ 			    config->c_tx_interval);
+ 			cfg->g_config.c_tx_interval = config->c_tx_interval;
+@@ -86,7 +86,8 @@ client_handle_set_configuration(struct lldpd *cfg, enum hmsg_type *type, void *i
+ 		}
+ 		levent_send_now(cfg);
+ 	}
+-	if (CHANGED(c_tx_hold) && config->c_tx_hold > 0) {
++	if (CHANGED(c_tx_hold) && config->c_tx_hold > 0 &&
++	    config->c_tx_hold <= 100) {
+ 		log_debug("rpc", "client change transmit hold to %d",
+ 		    config->c_tx_hold);
+ 		cfg->g_config.c_tx_hold = config->c_tx_hold;
+-- 
+2.39.5 (Apple Git-154)
+
diff --git a/SPECS/lldpd.spec b/SPECS/lldpd.spec
index 706a853..6aa6cd7 100644
--- a/SPECS/lldpd.spec
+++ b/SPECS/lldpd.spec
@@ -1,11 +1,10 @@
 Name:     lldpd
 Version:  1.0.18
-Release:  4%{?dist}
+Release:  6%{?dist}
 Summary:  ISC-licensed implementation of LLDP
 
 License:  ISC
 URL:      https://github.com/lldpd/
-# Upstream https://github.com/lldpd/lldpd/archive/v%{version}/%{name}-%{version}.tar.gz
 Source0:  lldpd-%{version}-free.tar.gz
 Source1:  %{name}.service
 Source2:  %{name}-tmpfiles
@@ -14,6 +13,11 @@ Source4:  %{name}-systemd-sysusers.conf
 
 Source100: lldpd-cleanup.sh
 
+Patch1: 0001-client-tx-hold-range.patch
+Patch2: 0002-lldpd-limit-tx-ttl-to-65535.patch
+Patch3: 0003-lldpd-fix-ttl-range.patch
+Patch4: 0004-client-fix-tx-hold.patch
+
 BuildRequires: check-devel
 BuildRequires: gcc
 BuildRequires: libxml2-devel
@@ -113,6 +117,15 @@ find %{buildroot} -type f -name "*.la" -delete
 %{_libdir}/pkgconfig/lldpctl.pc
 
 %changelog
+* Mon Dec 9 2024 Hangbin Liu <haliu@redhat.com> - 1.0.18-6
+- Add range checking for tx-interval and tx-hold [RHEL-40245]
+
+* Wed Oct 16 2024 Hangbin Liu <haliu@redhat.com> - 1.0.18-5
+- Add range checking for tx-interval and tx-hold [RHEL-40245]
+
+* Tue Mar 26 2024 Hangbin Liu <haliu@redhat.com> - 1.0.18-4
+- lldpd use systemd-sysusers [RHEL-5787]
+
 * Mon May 20 2024 Hangbin Liu <haliu@redhat.com> - 1.0.18-3
 - Add lldpd-devel package [RHEL-22127]