Safety checks for RTT BDP calc
@dgoulet and I noticed some potential but rare integer overflow cases for RTT-based cwnd calculation, while investigating queue use on test relays wrt the DoS. Basically if the clock is stopped, and a client manages to send a bunch of control cells on a circuit that are not subject to congestion control, and the orconn is blocked, the channel queue can exceed the congestion window, which could cause the cwnd = MAX(cwnd - chan_q, cc->cwnd_min)
in congestion_control_update_circuit_bdp()
to underflow.
Should be very very hard to trigger, and not remotely exploitable, but maybe it could happen. Might as well add some checks.