ValveSoftware
Changing nickname of player hosting the listen server
This is an old bug, which means that any player can change the nickname of the player who launched listen server. This happens through sending the name as a command.
Step-by-step reproduction:
- Connect to the listen server.
- Execute the string
cmd name testin the console of our game client. - The player’s nickname on which the listen server is running should change to
test.
@mikela-valve I ask also to pay attention to this bug. Just in case, I recorded a video that shows how you can remotely change the nickname of another player.
This happens because name string is part of clcommands array:
char *clcommands[22] =
{
"status",
"god",
"notarget",
"fly",
"name", // there
"noclip",
"kill",
"pause",
"spawn",
"new",
"sendres",
"dropclient",
"kick",
"ping",
"dlfile",
"nextdl",
"setinfo",
"showinfo",
"sendents",
"fullupdate",
"setpause",
"unpause"
};
Commands from this array are executed in the server console via Cmd_ExecuteString inside SV_ParseStringCommand, when parsing clc_stringcmd client message:
void __usercall SV_ParseStringCommand(char *a1@<ebp>, int a2@<edi>)
{
char *v2; // esi@1
char *v3; // eax@1
command_t *v4; // ebx@2
v2 = MSG_ReadString();
COM_Parse(v2);
v3 = clcommands[0].command;
if ( clcommands[0].command )
{
v4 = &clcommands[1];
while ( Q_strcasecmp(com_token, v3) )
{
++v4;
v3 = v4[-1].command;
if ( !v3 )
goto LABEL_6;
}
Cmd_ExecuteString(a1, a2, v2, 0);
}
else
{
LABEL_6:
if ( Q_strlen(v2) > 127 )
v2[127] = 0;
Cmd_TokenizeString((int)a1, a2, v2);
gEntityInterface.pfnClientCommand(sv_player);
}
}
Since the listen server also has client code in its engine, it has a registered cvar name, which will change if any connected client sends name as clc_stringcmd to the listen server.
As a solution, I suggest simply deleting the name string from the clcommands array.