Prevent an (impossible) null-pointer dereference in connection_edge_process_relay_cell

This would happen if the deliver window could become negative
because of an nonexistent connection.  (Fortunately, _that_ can't
occur, thanks to circuit_consider_sending_sendme.  Still, if we
change our windowing logic at all, we won't want this to become
triggerable.)  Fix for bug 5541.  Bugfix on 4a66865d, back from
0.0.2pre14.  asn found this.  Nice catch, asn!

changes/bug5541

@@ -0,0 +1,8 @@
+  o Minor bugfixes:
+    - Prevent a null-pointer dereference when receiving a data cell
+      for a nonexistent stream when the circuit in question has an
+      empty deliver window. We don't believe this is triggerable,
+      since we don't currently allow deliver windows to become empty,
+      but the logic is tricky enough that it's better to make the code
+      robust. Fixes bug 5541; bugfix on 0.0.2pre14.
+

src/or/relay.c

@@ -1103,8 +1103,12 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
           (!layer_hint && --circ->deliver_window < 0)) {
         log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
                "(relay data) circ deliver_window below 0. Killing.");
+        if (conn) {
+          /* XXXX Do we actually need to do this?  Will killing the circuit
+           * not send an END and mark the stream for close as appropriate? */
           connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
           connection_mark_for_close(TO_CONN(conn));
+        }
         return -END_CIRC_REASON_TORPROTOCOL;
       }
       log_debug(domain,"circ deliver_window now %d.", layer_hint ?