From 8015e35747eada2d79b898604b680aea53f9375c Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Sun, 28 Aug 2016 21:28:57 -0400
Subject: [PATCH] Fix a crash when a user disables DCE_RPC and enabled SMB.

I wasn't accounting for analyzers being disabled and not actually
instantiating when requested.  This includes a test which
verifies there is no crash or problem when a user disables DCE_RPC.
---
 src/analyzer/protocol/smb/smb-pipe.pac               | 10 +++++++---
 .../scripts/base/protocols/smb/disabled-dce-rpc.test | 12 ++++++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test

diff --git a/src/analyzer/protocol/smb/smb-pipe.pac b/src/analyzer/protocol/smb/smb-pipe.pac
index 4b995cfe3d..5c32f1f17c 100644
--- a/src/analyzer/protocol/smb/smb-pipe.pac
+++ b/src/analyzer/protocol/smb/smb-pipe.pac
@@ -41,15 +41,19 @@ refine connection SMB_Conn += {
 		if ( fid_to_analyzer_map.count(fid) == 0 )
 			{
 			pipe_dcerpc = (analyzer::dce_rpc::DCE_RPC_Analyzer *)analyzer_mgr->InstantiateAnalyzer("DCE_RPC", bro_analyzer()->Conn());
-			pipe_dcerpc->SetFileID(fid);
-			fid_to_analyzer_map[fid] = pipe_dcerpc;
+			if ( pipe_dcerpc )
+				{
+				pipe_dcerpc->SetFileID(fid);
+				fid_to_analyzer_map[fid] = pipe_dcerpc;
+				}
 			}
 		else
 			{
 			pipe_dcerpc = fid_to_analyzer_map.at(fid);
 			}
 
-		pipe_dcerpc->DeliverStream(${pipe_data}.length(), ${pipe_data}.begin(), is_orig);
+		if ( pipe_dcerpc )
+			pipe_dcerpc->DeliverStream(${pipe_data}.length(), ${pipe_data}.begin(), is_orig);
 
 		return true;
 		%}
diff --git a/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test b/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test
new file mode 100644
index 0000000000..7ac2789280
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/smb/disabled-dce-rpc.test
@@ -0,0 +1,12 @@
+# @TEST-EXEC: bro -C -r $TRACES/smb/dssetup_DsRoleGetPrimaryDomainInformation_standalone_workstation.cap %INPUT
+# @TEST-EXEC: [ ! -f dce_rpc.log ]
+
+@load policy/protocols/smb
+
+# The DCE_RPC analyzer is a little weird since it's instantiated
+# by the SMB analyzer directly in some cases.  Care needs to be
+# taken to handle a disabled analyzer correctly.
+event bro_init()
+	{
+	Analyzer::disable_analyzer(Analyzer::ANALYZER_DCE_RPC);
+	}