From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 17 May 2021 12:06:46 +0000 (+0200)
Subject: Fix coverity issue 331478
X-Git-Tag: v9.17.14~44^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19395fd1687f00825ece92338311bb8852d23246;p=thirdparty%2Fbind9.git

Fix coverity issue 331478

Move the "cannot start rollover" warning into code block that checks
if 'active_key' is not NULL.
---

diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index 02dbd711e2c..1d47da8c332 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -1713,6 +1713,20 @@ keymgr_key_rollover(dns_kasp_key_t *kaspkey, dns_dnsseckey_t *active_key,
 				      keystr, keymgr_keyrole(active_key->key),
 				      dns_kasp_getname(kasp));
 		}
+
+		/*
+		 * If rollover is not allowed, warn.
+		 */
+		if (!rollover) {
+			dst_key_format(active_key->key, keystr, sizeof(keystr));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+				      "keymgr: DNSKEY %s (%s) is offline in "
+				      "policy %s, cannot start rollover",
+				      keystr, keymgr_keyrole(active_key->key),
+				      dns_kasp_getname(kasp));
+			return (ISC_R_SUCCESS);
+		}
 	} else if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dns_name_format(origin, namestr, sizeof(namestr));
@@ -1724,20 +1738,6 @@ keymgr_key_rollover(dns_kasp_key_t *kaspkey, dns_dnsseckey_t *active_key,
 
 	/* It is time to do key rollover, we need a new key. */
 
-	/*
-	 * If rollover is not allowed, warn.
-	 */
-	if (!rollover) {
-		dst_key_format(active_key->key, keystr, sizeof(keystr));
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
-			      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
-			      "keymgr: DNSKEY %s (%s) is offline in policy %s, "
-			      "cannot start rollover",
-			      keystr, keymgr_keyrole(active_key->key),
-			      dns_kasp_getname(kasp));
-		return (ISC_R_SUCCESS);
-	}
-
 	/*
 	 * Check if there is a key available in pool because keys
 	 * may have been pregenerated with dnssec-keygen.