An application that performs multiple requests with libcurl's multi API and
sets the CURLOPT_CONNECT_ONLY
option, might in rare circumstances experience
that when subsequently using the setup connect-only transfer, libcurl picks
and uses the wrong connection - and instead picks another one the application
has created since then.
CURLOPT_CONNECT_ONLY
is the option to tell libcurl to not perform an actual
transfer, only connect. When that operation is completed, libcurl remembers
which connection it used for that transfer and "easy handle". It remembers the
connection using a pointer to the internal connectdata
struct in memory.
If more transfers are then done with the same multi handle before the connect-only connection is used, leading to the initial connect-only connection to get closed (for example due to idle time-out) while also new transfers (and connections) are setup, such a new connection might end up getting the exact same memory address as the now closed connect-only connection.
If after those operations, the application then wants to use the original
transfer's connect-only setup to for example use curl_easy_send()
to send
raw data over that connection, libcurl could erroneously find an existing
connection still being alive at the address it remembered since before even
though this is now a new and different connection.
The application could then accidentally send data over that connection which was not at all intended for that recipient, entirely unknowingly.