In instance.cpp _assembleResponse(), we attempt to parse out a namespace out of the message data, in order to check for authorization. We do this for dbInsert, dbUpdate, dbDelete, and dbKillCursors.

All of these commands include the collection name, EXCEPT dbKillCursors. dbKillCursors contains "numberOfCursorIDs" in the position for namespace. Therefore, as long as you pass a cursor count whose int binary representation contains a null byte, nothing bad will happen, other than no authentication occurs.
If you pass, say, -1 for the cursor count, the server might crash due to not finding a null-terminated string for the namespace. On Windows, you can crash the server in debug mode by running clientTest.exe, which indeed passes -1 as part of a failure scenario test.