NULL ptr deref. in connection_edge_process_relay_cell()

In connection_edge_process_relay_cell(), if conn is NULL (because !rh.stream_id in relay_lookup_conn()), and the cell command is RELAY_COMMAND_DATA; if it gets inside:

      if (( layer_hint && --layer_hint->deliver_window < 0) ||
          (!layer_hint && --circ->deliver_window < 0)) {

it can cause a NULL pointer dereference in connection_edge_end(), since the check for (!conn) happens after that if statement.

I suspect that this can be triggered if you spam an OR to reduce its deliver_window to 0, and then send a RELAY_COMMAND_DATA cell with no stream_id.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information