NULL ptr deref. in connection_edge_process_relay_cell()
In connection_edge_process_relay_cell(), if conn is NULL (because !rh.stream_id in relay_lookup_conn()), and the cell command is RELAY_COMMAND_DATA; if it gets inside:
if (( layer_hint && --layer_hint->deliver_window < 0) ||
(!layer_hint && --circ->deliver_window < 0)) {it can cause a NULL pointer dereference in connection_edge_end(), since the check for (!conn) happens after that if statement.
I suspect that this can be triggered if you spam an OR to reduce its deliver_window to 0, and then send a RELAY_COMMAND_DATA cell with no stream_id.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information