Merge remote-tracking branch 'public/bug5541_v2'

changes/bug5541

@@ -0,0 +1,8 @@
+  o Minor bugfixes:
+    - Prevent a null-pointer dereference when receiving a data cell
+      for a nonexistent stream when the circuit in question has an
+      empty deliver window. We don't believe this is triggerable,
+      since we don't currently allow deliver windows to become empty,
+      but the logic is tricky enough that it's better to make the code
+      robust. Fixes bug 5541; bugfix on 0.0.2pre14.
+

src/or/relay.c

@@ -1125,8 +1125,12 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
           (!layer_hint && --circ->deliver_window < 0)) {
         log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
                "(relay data) circ deliver_window below 0. Killing.");
-        connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
+        if (conn) {
-        connection_mark_for_close(TO_CONN(conn));
+          /* XXXX Do we actually need to do this?  Will killing the circuit
+           * not send an END and mark the stream for close as appropriate? */
+          connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
+          connection_mark_for_close(TO_CONN(conn));
+        }
         return -END_CIRC_REASON_TORPROTOCOL;
       }
       log_debug(domain,"circ deliver_window now %d.", layer_hint ?