Openssh: heap out-of-bounds read in red hat enterprise linux versions of openssh gssapi indicator cleanup due to missing null sentinel termination

An attacker with network access to an SSH server built with GSSAPI support can trigger the bug when `GSSAPIAuthentication yes` is configured and the Kerberos environment provides a ticket containing at least one authenticated `auth-indicators` value [ref_id=1]. The attacker must then cause execution to reach a sentinel-based consumer, either by making `ssh_gssapi_userok()` return false (e.g., through principal-to-local-user authorization failure) or by configuring `GSSAPIIndicators` so that `ssh_gssapi_check_indicators()` iterates the list [ref_id=1]. The out-of-bounds read may crash or abort the SSH authentication path, leading to a denial of service.

The vulnerability is in `gss-serv.c` (`ssh_gssapi_getindicators()`) where the `client->indicators` array is grown without a guaranteed trailing `NULL` sentinel. Sentinel-based consumers in `gss-serv.c` (`ssh_gssapi_userok()`) and `gss-serv-krb5.c` (`ssh_gssapi_check_indicators()`) iterate until `NULL`, which can read past the allocated pointer array.

The proposed fix ensures that after indicator collection, a dedicated trailing `NULL` slot is appended to the `client->indicators` array by calling `xrecallocarray()` to grow the array by one element [ref_id=1]. Previously the code relied on `recallocarray()` zeroing the newly added region, but that region was immediately overwritten with a string pointer, leaving no sentinel. The fix guarantees that sentinel-based consumers in `ssh_gssapi_userok()` and `ssh_gssapi_check_indicators()` will always find a `NULL` terminator within the allocated bounds.