When discussing CDRIVER-3438, the following scenario seems like a very possible bug in libmongoc:

Create an exhaust cursor against server S1. This sets mongoc_client_t's in_exhaust flag to true. Since S1 expects to stream all documents requested, the socket to S1 can only be read from (and must be closed when done) in mongoc_cursor_destroy.

While the mongoc_client_t is still in_exhuast, call mongoc_client_select_server, triggering a topology scan. Since there is no check of client->in_exhaust in mongoc-async-cmd.c, the scan will attempt to send an isMaster on the same socket to S1. This will result in an out-of-bound write to the socket.

Note, I believe this bug would only appear if the user were to call mongoc_client_select_server while the client was in exhaust. Other operations that would otherwise do I/O would check (and correctly error) in the common I/O code path of mongoc-cluster.c.