Fix a bug handling SENDME cells on nonexistent streams.

This could result in bizarre window values. Report and patch
contributed pseudymously.  Fixes part of bug 6271. This bug was
introduced before the first Tor release, in svn commit r152.

(bug 6271, part a.)

changes/bug6271

@@ -0,0 +1,7 @@
+   o Major bugfixes
+
+     - Fix a bug handling SENDME cells on nonexistent streams that
+       could result in bizarre window values. Report and patch
+       contributed pseudymously.  Fixes part of bug 6271. This bug
+       was introduced before the first Tor release, in svn commit
+       r152.

src/or/relay.c

@@ -1220,7 +1220,7 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
                "'connected' received, no conn attached anymore. Ignoring.");
       return 0;
     case RELAY_COMMAND_SENDME:
-      if (!conn) {
+      if (!rh.stream_id) {
         if (layer_hint) {
           layer_hint->package_window += CIRCWINDOW_INCREMENT;
           log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
@@ -1235,6 +1235,11 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
         }
         return 0;
       }
+      if (!conn) {
+        log_info(domain,"sendme cell dropped, unknown stream (streamid %d).",
+                 rh.stream_id);
+        return 0;
+      }
       conn->package_window += STREAMWINDOW_INCREMENT;
       log_debug(domain,"stream-level sendme, packagewindow now %d.",
                 conn->package_window);