From c182a283f9bc34b3388c58d0b9efe2fa471bb74f Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 19 May 2026 09:42:20 +0200
Subject: [PATCH] credentials: Clear the moved-from string before checking its
 capacity

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
---
 pdns/credentials.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/credentials.cc b/pdns/credentials.cc
index 277e09e53f..c91873c205 100644
--- a/pdns/credentials.cc
+++ b/pdns/credentials.cc
@@ -84,11 +84,11 @@ void SensitiveData::reallyClearContent(void* data, size_t size) noexcept
 SensitiveData::SensitiveData(std::string&& data) :
   d_data(std::move(data))
 {
+  data.clear();
 #ifdef HAVE_LIBSODIUM
   // let's be nice and try to zero out the SSO buffer
   reallyClearContent(data.data(), data.capacity());
 #endif
-  data.clear();
 #ifdef HAVE_LIBSODIUM
   sodium_mlock(d_data.data(), d_data.size());
 #endif
-- 
2.47.3