dalloc_value_for_key() doesn't check the types of the intermediate or final arrays, and thus can dereference non-pointers pulled out of the objects. For example, if an rpcd_mdssvc client sends a cmd with this blob: DALLOC_CTX(#1): { sl_array_t(#2): { sl_array_t(#3): { string: openQueryWithParams:forContext: uint64_t: 0x0000 uint64_t: 0x0000 } uint64_t: 0xdeadbeef12345678 } } then this call in slrpc_open_query() crashes due to treating the uint64_t as an sl_array_t: querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0, "DALLOC_CTX", 1, "kMDQueryString", "char *"); Program received signal SIGBUS, Bus error. Object-specific hardware error. 0x00000795e58888a4 in talloc_chunk_from_ptr (ptr=0xdeadbeef12345678) at ../../lib/talloc/talloc.c:527 527 if (unlikely((tc->flags & (TALLOC_FLAG_FREE | ~TALLOC_FLAG_MASK)) != talloc_magic)) { (gdb) where #0 0x00000795e58888a4 in talloc_chunk_from_ptr (ptr=0xdeadbeef12345678) at ../../lib/talloc/talloc.c:527 #1 0x00000795e588c39d in talloc_get_size (context=0xdeadbeef12345678) at ../../lib/talloc/talloc.c:2851 #2 0x000007958f6477bb in dalloc_value_for_key (d=0x796563a4130) at ../../source3/rpc_server/mdssvc/dalloc.c:230 #3 0x000007958f63273a in slrpc_open_query (mds_ctx=0x7962d00ba20, query=0x796563a39b0, reply=0x796563a3a40) at ../../source3/rpc_server/mdssvc/mdssvc.c:946 #4 0x000007958f631948 in mds_dispatch (mds_ctx=0x7962d00ba20, request_blob=0x796563a29f0, response_blob=0x796563a3890, max_fragment_size=512) at ../../source3/rpc_server/mdssvc/mdssvc.c:1881 #5 0x000007958f636b68 in _mdssvc_cmd (p=0x7962cffc048, r=0x796563a29d0) at ../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:239