The hex key supplied with an add command can be quoted, in which case the quotation marks are removed.
The check itself makes sure that a given string starts with a double quotation mark and ends with a double quotation mark.
Buf if only " is supplied, the code crashes because it subtracts 2 from the length (which is 1) and therefore copies too much memory into a 0 allocated memory area.
Proof of concept:
$ xauth add :0 0 "