The FreeBSD sendfile system call allows a server application (such as an HTTP or FTP server) to transmit the contents of a file over a network connection without first copying it to application memory.
The FreeBSD kernel does not clean memory parts before being used with sendfile, allowing users to retrieve random information about the system.
If the file being transmitted is truncated after the transfer has started but before it completes, sendfile will transfer the contents of more or less random portions of kernel memory in lieu of the missing part of the file.
A local user could create a large file and truncate it while transferring it to himself, thus obtaining a copy of portions of system memory to which he would normally not have access. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password.
