We obey sendme cells even when we shouldn't get them

A client can send sendme cells preemptively to the exit relay, allowing:

cheating on her flow/congestion control, to get her bytes faster
DoS on the network, by adding way more cells into the network than she was supposed to.
perhaps a memory DoS on the entry relay, if she stops reading from the TLS connection but keeps up the blitz of sendme cells.

I believe the fix is to tear down the circuit when we get a sendme we should not have gotten.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information