NEX-3672 IDM module panics target when PDU has AHS length between 17 and 49
Reviewed by: Steve Peng <steve.peng@nexenta.com>
Reviewed by: Rob Gittins <rob.gittins@nexenta.com>

@@ -22,10 +22,11 @@
  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 /*
  * Copyright (c) 2013 by Delphix. All rights reserved.
+ * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
  * Copyright (c) 2017, Joyent, Inc.  All rights reserved.
  */
 
 #include <sys/conf.h>
 #include <sys/stat.h>

@@ -857,20 +858,25 @@
         }
 
         /*
          * Check actual AHS length against the amount available in the buffer
          */
+        if ((IDM_PDU_OPCODE(pdu) != ISCSI_OP_SCSI_CMD) &&
+            (bhs->hlength != 0)) {
+                /* ---- hlength is only only valid for SCSI Request ---- */
+                return (IDM_STATUS_FAIL);
+        }
         pdu->isp_hdrlen = sizeof (iscsi_hdr_t) +
             (bhs->hlength * sizeof (uint32_t));
         pdu->isp_datalen = n2h24(bhs->dlength);
 
         if (!idm_dataseglenokay(ic, pdu)) {
                 IDM_CONN_LOG(CE_WARN,
                     "idm_sorecvhdr: invalid data segment length");
                 return (IDM_STATUS_FAIL);
         }
-        if (bhs->hlength > IDM_SORX_CACHE_AHSLEN) {
+        if (bhs->hlength > IDM_SORX_WIRE_AHSLEN) {
                 /* Allocate a new header segment and change the callback */
                 new_hdr = kmem_alloc(pdu->isp_hdrlen, KM_SLEEP);
                 bcopy(pdu->isp_hdr, new_hdr, sizeof (iscsi_hdr_t));
                 pdu->isp_hdr = new_hdr;
                 pdu->isp_flags |= IDM_PDU_ADDL_HDR;