main/openssh: fix segfault with VerifyHostKeyDNS=yes

fix a case in openbsd-compat where there are no DNS answers. Apparently
OpenBSD returns ancount=0 but the answer struct is non NULL, while with
musl the answer is NULL.

fixes #8323

main/openssh/APKBUILD

@@ -4,7 +4,7 @@
 pkgname=openssh
 pkgver=8.0_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=0
+pkgrel=1
 pkgdesc="Port of OpenBSD's free SSH release"
 url="https://www.openssh.com/portable.html"
 arch="all"
@@ -17,7 +17,8 @@ makedepends="$makedepends_build $makedepends_host"
 # Add more packages support here e.g. kerberos
 _pkgsupport=""
 [ -z "$BOOTSTRAP" ] && _pkgsupport="pam"
-subpackages="$pkgname-doc
+subpackages="$pkgname-dbg
+	$pkgname-doc
 	$pkgname-keygen
 	$pkgname-client
 	$pkgname-keysign
@@ -34,6 +35,7 @@ source="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.ta
 	bsd-compatible-realpath.patch
 	sftp-interactive.patch
 	disable-forwarding-by-default.patch
+	fix-verify-dns-segfault.patch
 
 	sshd.initd
 	sshd.confd
@@ -211,5 +213,6 @@ f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b33894
 f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73  bsd-compatible-realpath.patch
 c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  sftp-interactive.patch
 8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de  disable-forwarding-by-default.patch
+b0d1fc89bd46ebfc8c7c00fd897732e67a6cda996811c14d99392685bb0b508b52c9dc3188b1a84c0ffa3f72f57189cc615a76b81796dd1b5f552542bd53f84d  fix-verify-dns-segfault.patch
 8122ac1838586a1487dad1f70ed2ec8161ae57b4a7ee8bfef9757b590aa76a887a6c5e5f2575728da4c6c2f00d2a924360e23d84a4df204d7021b44b690cb2f8  sshd.initd
 ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc  sshd.confd"

main/openssh/fix-verify-dns-segfault.patch

@@ -0,0 +1,57 @@
+Handle case when answer=NULL due to zero answers
+
+diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
+index dc6fe05..28622b5 100644
+--- a/openbsd-compat/getrrsetbyname.c
++++ b/openbsd-compat/getrrsetbyname.c
+@@ -268,7 +268,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
+ 	}
+ 	rrset->rri_rdclass = response->query->class;
+ 	rrset->rri_rdtype = response->query->type;
+-	rrset->rri_ttl = response->answer->ttl;
++	rrset->rri_ttl = response->answer ? response->answer->ttl : 0;
+ 	rrset->rri_nrdatas = response->header.ancount;
+ 
+ #ifdef HAVE_HEADER_AD
+@@ -276,6 +276,17 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
+ 	if (response->header.ad == 1)
+ 		rrset->rri_flags |= RRSET_VALIDATED;
+ #endif
++	/* allocate memory for signatures */
++	if (rrset->rri_nsigs > 0) {
++		rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
++		if (rrset->rri_sigs == NULL) {
++			result = ERRSET_NOMEMORY;
++			goto fail;
++		}
++	}
++
++	if (response->answer == NULL || response->header.ancount == 0)
++		goto done;
+ 
+ 	/* copy name from answer section */
+ 	rrset->rri_name = strdup(response->answer->name);
+@@ -298,15 +309,6 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
+ 		goto fail;
+ 	}
+ 
+-	/* allocate memory for signatures */
+-	if (rrset->rri_nsigs > 0) {
+-		rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
+-		if (rrset->rri_sigs == NULL) {
+-			result = ERRSET_NOMEMORY;
+-			goto fail;
+-		}
+-	}
+-
+ 	/* copy answers & signatures */
+ 	for (rr = response->answer, index_ans = 0, index_sig = 0;
+ 	    rr; rr = rr->next) {
+@@ -334,6 +336,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
+ 	}
+ 	free_dns_response(response);
+ 
++done:
+ 	*res = rrset;
+ 	return (ERRSET_SUCCESS);
+