diff -Naru conntrack-tools-1.4.5.orig/src/read_config_lex.l conntrack-tools-1.4.5/src/read_config_lex.l
--- conntrack-tools-1.4.5.orig/src/read_config_lex.l	2018-05-01 09:34:20.409429996 +0000
+++ conntrack-tools-1.4.5/src/read_config_lex.l	2023-02-28 09:00:20.972296131 +0000
@@ -142,9 +142,9 @@
 {is_off}		{ return T_OFF; }
 {integer}		{ yylval.val = atoi(yytext); return T_NUMBER; }
 {signed_integer}	{ yylval.val = atoi(yytext); return T_SIGNED_NUMBER; }
-{ip4}			{ yylval.string = yytext; return T_IP; }
-{ip6}			{ yylval.string = yytext; return T_IP; }
-{path}			{ yylval.string = yytext; return T_PATH_VAL; }
+{ip4}			{ yylval.string = strdup(yytext); return T_IP; }
+{ip6}			{ yylval.string = strdup(yytext); return T_IP; }
+{path}			{ yylval.string = strdup(yytext); return T_PATH_VAL; }
 {alarm}			{ return T_ALARM; }
 {persistent}		{ dlog(LOG_WARNING, "Now `persistent' mode "
 			       "is called `alarm'. Please, update "
@@ -156,7 +156,7 @@
 			       "your conntrackd.conf file.\n");
 			  return T_FTFW; }
 {notrack}		{ return T_NOTRACK; }
-{string}		{ yylval.string = yytext; return T_STRING; }
+{string}		{ yylval.string = strdup(yytext); return T_STRING; }
 
 {comment}	;
 {ws}		;
diff -Naru conntrack-tools-1.4.5.orig/src/read_config_yy.h conntrack-tools-1.4.5/src/read_config_yy.h
--- conntrack-tools-1.4.5.orig/src/read_config_yy.h	2018-05-01 09:34:43.129411764 +0000
+++ conntrack-tools-1.4.5/src/read_config_yy.h	2023-02-28 11:02:52.883248089 +0000
@@ -1,8 +1,9 @@
-/* A Bison parser, made by GNU Bison 3.0.4.  */
+/* A Bison parser, made by GNU Bison 3.5.1.  */
 
 /* Bison interface for Yacc-like parsers in C
 
-   Copyright (C) 1984, 1989-1990, 2000-2015 Free Software Foundation, Inc.
+   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2020 Free Software Foundation,
+   Inc.
 
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -30,6 +31,9 @@
    This special exception was added by the Free Software Foundation in
    version 2.2 of Bison.  */
 
+/* Undocumented macros, especially those whose name start with YY_,
+   are private implementation details.  Do not rely on them.  */
+
 #ifndef YY_YY_READ_CONFIG_YY_H_INCLUDED
 # define YY_YY_READ_CONFIG_YY_H_INCLUDED
 /* Debug traces.  */
@@ -231,17 +235,16 @@
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-
 union YYSTYPE
 {
-#line 58 "read_config_yy.y" /* yacc.c:1909  */
+#line 58 "read_config_yy.y"
 
 	int		val;
 	char		*string;
 
-#line 243 "read_config_yy.h" /* yacc.c:1909  */
-};
+#line 246 "read_config_yy.h"
 
+};
 typedef union YYSTYPE YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define YYSTYPE_IS_DECLARED 1
diff -Naru conntrack-tools-1.4.5.orig/src/read_config_yy.y conntrack-tools-1.4.5/src/read_config_yy.y
--- conntrack-tools-1.4.5.orig/src/read_config_yy.y	2018-05-01 09:34:20.409429996 +0000
+++ conntrack-tools-1.4.5/src/read_config_yy.y	2023-02-28 11:03:03.575552274 +0000
@@ -116,6 +116,7 @@
 logfile_path : T_LOG T_PATH_VAL
 {
 	strncpy(conf.logfile, $2, FILENAME_MAXLEN);
+	free($2);
 };
 
 syslog_bool : T_SYSLOG T_ON
@@ -151,8 +152,10 @@
 	else {
 		dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
 		     "ignoring", $2);
+		free($2);
 		break;
 	}
+	free($2);
 
 	if (conf.stats.syslog_facility != -1 &&
 	    conf.syslog_facility != conf.stats.syslog_facility)
@@ -163,6 +166,7 @@
 lock : T_LOCK T_PATH_VAL
 {
 	strncpy(conf.lockfile, $2, FILENAME_MAXLEN);
+	free($2);
 };
 
 refreshtime : T_REFRESH T_NUMBER
@@ -224,6 +228,7 @@
 
 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.in)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+		free($2);
 		break;
 	}
 
@@ -234,6 +239,7 @@
 		break;
 	}
 
+	free($2);
 	conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET;
 };
 
@@ -246,6 +252,7 @@
 			&conf.channel[conf.channel_num].u.mcast.in);
 	if (err == 0) {
 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+		free($2);
 		break;
 	} else if (err < 0) {
 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
@@ -256,6 +263,7 @@
 		dlog(LOG_WARNING, "your multicast address is IPv6 but "
 		     "is binded to an IPv4 interface? "
 		     "Surely this is not what you want");
+		free($2);
 		break;
 	}
 
@@ -268,12 +276,14 @@
 		idx = if_nametoindex($2);
 		if (!idx) {
 			dlog(LOG_WARNING, "%s is an invalid interface", $2);
+			free($2);
 			break;
 		}
 
 		conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
 		conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
 	}
+	free($2);
 };
 
 multicast_option : T_IPV4_IFACE T_IP
@@ -282,8 +292,10 @@
 
 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.mcast.ifa)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+		free($2);
 		break;
 	}
+	free($2);
 
         if (conf.channel[conf.channel_num].u.mcast.ipproto == AF_INET6) {
 		dlog(LOG_WARNING, "your multicast interface is IPv4 but "
@@ -298,6 +310,7 @@
 multicast_option : T_IPV6_IFACE T_IP
 {
 	dlog(LOG_WARNING, "`IPv6_interface' not required, ignoring");
+	free($2);
 }
 
 multicast_option : T_IFACE T_STRING
@@ -311,6 +324,7 @@
 	idx = if_nametoindex($2);
 	if (!idx) {
 		dlog(LOG_WARNING, "%s is an invalid interface", $2);
+		free($2);
 		break;
 	}
 
@@ -318,6 +332,8 @@
 		conf.channel[conf.channel_num].u.mcast.ifa.interface_index6 = idx;
 		conf.channel[conf.channel_num].u.mcast.ipproto = AF_INET6;
 	}
+
+	free($2);
 };
 
 multicast_option : T_GROUP T_NUMBER
@@ -389,8 +405,10 @@
 
 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.server.ipv4)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+		free($2);
 		break;
 	}
+	free($2);
 	conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
 };
 
@@ -403,12 +421,14 @@
 			&conf.channel[conf.channel_num].u.udp.server.ipv6);
 	if (err == 0) {
 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+		free($2);
 		break;
 	} else if (err < 0) {
 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
 		exit(EXIT_FAILURE);
 	}
 
+	free($2);
 	conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
 };
 
@@ -418,8 +438,10 @@
 
 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.udp.client)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+		free($2);
 		break;
 	}
+	free($2);
 	conf.channel[conf.channel_num].u.udp.ipproto = AF_INET;
 };
 
@@ -432,12 +454,14 @@
 			&conf.channel[conf.channel_num].u.udp.client);
 	if (err == 0) {
 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+		free($2);
 		break;
 	} else {
 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
 		exit(EXIT_FAILURE);
 	}
 
+	free($2);
 	conf.channel[conf.channel_num].u.udp.ipproto = AF_INET6;
 };
 
@@ -451,9 +475,12 @@
 	idx = if_nametoindex($2);
 	if (!idx) {
 		dlog(LOG_WARNING, "%s is an invalid interface", $2);
+		free($2);
 		break;
 	}
 	conf.channel[conf.channel_num].u.udp.server.ipv6.scope_id = idx;
+
+	free($2);
 };
 
 udp_option : T_PORT T_NUMBER
@@ -529,8 +556,10 @@
 
 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.server.ipv4)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+		free($2);
 		break;
 	}
+	free($2);
 	conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
 };
 
@@ -543,12 +572,14 @@
 			&conf.channel[conf.channel_num].u.tcp.server.ipv6);
 	if (err == 0) {
 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+		free($2);
 		break;
 	} else if (err < 0) {
 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
 		exit(EXIT_FAILURE);
 	}
 
+	free($2);
 	conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
 };
 
@@ -558,8 +589,10 @@
 
 	if (!inet_aton($2, &conf.channel[conf.channel_num].u.tcp.client)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4 address", $2);
+		free($2);
 		break;
 	}
+	free($2);
 	conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET;
 };
 
@@ -572,12 +605,14 @@
 			&conf.channel[conf.channel_num].u.tcp.client);
 	if (err == 0) {
 		dlog(LOG_WARNING, "%s is not a valid IPv6 address", $2);
+		free($2);
 		break;
 	} else if (err < 0) {
 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
 		exit(EXIT_FAILURE);
 	}
 
+	free($2);
 	conf.channel[conf.channel_num].u.tcp.ipproto = AF_INET6;
 };
 
@@ -591,9 +626,12 @@
 	idx = if_nametoindex($2);
 	if (!idx) {
 		dlog(LOG_WARNING, "%s is an invalid interface", $2);
+		free($2);
 		break;
 	}
 	conf.channel[conf.channel_num].u.tcp.server.ipv6.scope_id = idx;
+
+	free($2);
 };
 
 tcp_option : T_PORT T_NUMBER
@@ -651,6 +689,7 @@
 unix_option : T_PATH T_PATH_VAL
 {
 	strcpy(conf.local.path, $2);
+	free($2);
 };
 
 unix_option : T_BACKLOG T_NUMBER
@@ -738,6 +777,7 @@
 expect_item: T_STRING
 {
 	exp_filter_add(STATE(exp_filter), $1);
+	free($1);
 }
 
 sync_mode_alarm: T_SYNC_MODE T_ALARM '{' sync_mode_alarm_list '}'
@@ -985,8 +1025,11 @@
 		conf.sched.type = SCHED_FIFO;
 	} else {
 		dlog(LOG_ERR, "unknown scheduler `%s'", $2);
+		free($2);
 		exit(EXIT_FAILURE);
 	}
+
+	free($2);
 };
 
 scheduler_line : T_PRIO T_NUMBER
@@ -1064,8 +1107,10 @@
 	if (pent == NULL) {
 		dlog(LOG_WARNING, "getprotobyname() cannot find "
 		     "protocol `%s' in /etc/protocols", $1);
+		free($1);
 		break;
 	}
+	free($1);
 	ct_filter_add_proto(STATE(us_filter), pent->p_proto);
 
 	__kernel_filter_start();
@@ -1162,12 +1207,14 @@
 		if (cidr > 32) {
 			dlog(LOG_WARNING, "%s/%d is not a valid network, "
 			     "ignoring", $2, cidr);
+			free($2);
 			break;
 		}
 	}
 
 	if (!inet_aton($2, &ip.ipv4)) {
 		dlog(LOG_WARNING, "%s is not a valid IPv4, ignoring", $2);
+		free($2);
 		break;
 	}
 
@@ -1193,6 +1240,7 @@
 				     "ignore pool!");
 		}
 	}
+	free($2);
 	__kernel_filter_start();
 
 	/* host byte order */
@@ -1222,6 +1270,7 @@
 		if (cidr > 128) {
 			dlog(LOG_WARNING, "%s/%d is not a valid network, "
 			     "ignoring", $2, cidr);
+			free($2);
 			break;
 		}
 	}
@@ -1229,6 +1278,7 @@
 	err = inet_pton(AF_INET6, $2, &ip.ipv6);
 	if (err == 0) {
 		dlog(LOG_WARNING, "%s is not a valid IPv6, ignoring", $2);
+		free($2);
 		break;
 	} else if (err < 0) {
 		dlog(LOG_ERR, "inet_pton(): IPv6 unsupported!");
@@ -1255,6 +1305,7 @@
 				     "ignore pool!");
 		}
 	}
+	free($2);
 	__kernel_filter_start();
 
 	/* host byte order */
@@ -1325,6 +1376,7 @@
 stat_logfile_path : T_LOG T_PATH_VAL
 {
 	strncpy(conf.stats.logfile, $2, FILENAME_MAXLEN);
+	free($2);
 };
 
 stat_syslog_bool : T_SYSLOG T_ON
@@ -1360,8 +1412,10 @@
 	else {
 		dlog(LOG_WARNING, "'%s' is not a known syslog facility, "
 		     "ignoring.", $2);
+		free($2);
 		break;
 	}
+	free($2);
 
 	if (conf.syslog_facility != -1 &&
 	    conf.stats.syslog_facility != conf.syslog_facility)
@@ -1395,8 +1449,10 @@
 		l3proto = AF_INET6;
 	else {
 		dlog(LOG_ERR, "unknown layer 3 protocol");
+		free($3);
 		exit(EXIT_FAILURE);
 	}
+	free($3);
 
 	if (strcmp($4, "tcp") == 0)
 		l4proto = IPPROTO_TCP;
@@ -1404,19 +1460,23 @@
 		l4proto = IPPROTO_UDP;
 	else {
 		dlog(LOG_ERR, "unknown layer 4 protocol");
+		free($4);
 		exit(EXIT_FAILURE);
 	}
+	free($4);
 
 #ifdef BUILD_CTHELPER
 	helper = helper_find(CONNTRACKD_LIB_DIR, $2, l4proto, RTLD_NOW);
 	if (helper == NULL) {
 		dlog(LOG_ERR, "Unknown `%s' helper", $2);
+		free($2);
 		exit(EXIT_FAILURE);
 	}
 #else
 	dlog(LOG_ERR, "Helper support is disabled, recompile conntrackd");
 	exit(EXIT_FAILURE);
 #endif
+	free($2);
 
 	helper_inst = calloc(1, sizeof(struct ctd_helper_instance));
 	if (helper_inst == NULL)
@@ -1519,12 +1579,14 @@
 	if (e == NULL) {
 		dlog(LOG_ERR, "Helper policy configuration empty, fix your "
 		     "configuration file, please");
+		free($2);
 		exit(EXIT_FAILURE);
 		break;
 	}
 
 	policy = (struct ctd_helper_policy *) &e->data;
 	strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
+	free($2);
 	policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
 	/* Now object is complete. */
 	e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;