From 8dd3944dd16e04f0f193fb377155823ad1b9582a Mon Sep 17 00:00:00 2001
From: xurui <xurui115@h-partners.com>
Date: Wed, 24 Apr 2024 14:07:35 +0800
Subject: [PATCH 1/2] CVE-2023-3727

Signed-off-by: xurui <xurui115@h-partners.com>
---
 pc/data_channel_controller.cc | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/pc/data_channel_controller.cc b/pc/data_channel_controller.cc
index 166e181c..6354bca1 100644
--- a/pc/data_channel_controller.cc
+++ b/pc/data_channel_controller.cc
@@ -77,14 +77,18 @@ void DataChannelController::OnChannelStateChanged(
     SctpDataChannel* channel,
     DataChannelInterface::DataState state) {
   RTC_DCHECK_RUN_ON(network_thread());
+
+  // Stash away the internal id here in case `OnSctpDataChannelClosed` ends up
+  // releasing the last reference to the channel.
+  const int channel_id = channel->internal_id();
+
   if (state == DataChannelInterface::DataState::kClosed)
     OnSctpDataChannelClosed(channel);
 
-  signaling_thread()->PostTask(
-      SafeTask(signaling_safety_.flag(),
-               [this, channel_id = channel->internal_id(), state = state] {
-                 pc_->OnSctpDataChannelStateChanged(channel_id, state);
-               }));
+  signaling_thread()->PostTask(SafeTask(
+      signaling_safety_.flag(), [this, channel_id, state, channel_usage] {
+        pc_->OnSctpDataChannelStateChanged(channel_id, state);
+      }));
 }
 
 void DataChannelController::OnDataReceived(
-- 
Gitee


From b0298e61b4a60fb40b7f3f16a8d086557e9a0f5c Mon Sep 17 00:00:00 2001
From: xurui <xurui115@h-partners.com>
Date: Wed, 24 Apr 2024 19:03:55 +0800
Subject: [PATCH 2/2] CVE-2023-3727

Signed-off-by: xurui <xurui115@h-partners.com>
---
 pc/data_channel_controller.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pc/data_channel_controller.cc b/pc/data_channel_controller.cc
index 6354bca1..b7949e75 100644
--- a/pc/data_channel_controller.cc
+++ b/pc/data_channel_controller.cc
@@ -85,8 +85,8 @@ void DataChannelController::OnChannelStateChanged(
   if (state == DataChannelInterface::DataState::kClosed)
     OnSctpDataChannelClosed(channel);
 
-  signaling_thread()->PostTask(SafeTask(
-      signaling_safety_.flag(), [this, channel_id, state, channel_usage] {
+  signaling_thread()->PostTask(
+      SafeTask(signaling_safety_.flag(), [this, channel_id, state] {
         pc_->OnSctpDataChannelStateChanged(channel_id, state);
       }));
 }
-- 
Gitee