transport: Fix partial write handling for large messages

The sender was ignoring the return value from sendmsg/send, which
indicates how many bytes were actually written. For messages larger
than the kernel socket buffer (~200KB), this caused message truncation.

Fix by looping until all bytes are sent:
- Track bytes_sent offset and continue from where we left off
- Send FDs only with the first sendmsg call (they're queued by receiver)
- Use regular send() for subsequent chunks

Also update README.md to clarify transmission rules:
- FDs MUST arrive before/with final message bytes

Add tests for 1MB messages with and without file descriptors.

Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

README.md

@@ -28,15 +28,11 @@ JSON is a self-delimiting format—a compliant parser can determine where one JS
 * Each message MUST be a complete, valid JSON object.
 * Whitespace between messages is permitted but not required.
 
-### 2.3. Transmission Rule
+### 2.3. Transmission Rules
 
-To unambiguously associate file descriptors with their corresponding message, a sending party **MUST** adhere to the following rule:
+To ensure file descriptors are correctly associated with their corresponding messages, a sending party MUST adhere to the following rules:
 
-**A single sendmsg(2) system call MUST contain exactly one and only one complete JSON-RPC message.**
-
-File descriptors intended for that message MUST be included as ancillary data in that same sendmsg() call. A sendmsg() call that includes file descriptors MUST also contain a complete JSON-RPC message.
-
-* **Rationale:** This strict 1:1 mapping between a sendmsg() call, a single JSON-RPC message, and its associated file descriptors is the core of the protocol. It leverages the kernel's guarantee that data and ancillary data from a single sendmsg call are delivered atomically to the underlying transport. This allows the receiver to reliably associate FDs with messages even if multiple messages are coalesced in the stream.
+1. **File Descriptor Ordering:** All file descriptors referenced by a message MUST be sent (via ancillary data) before or with the final bytes of that message. The receiver dequeues FDs in order as complete messages are parsed; if the required FDs have not yet arrived, the connection is terminated with a Mismatched Count error.
 
 ## 3. Message Format
 
@@ -138,4 +134,4 @@ The security considerations are identical to those for other Unix domain socket
 
 * **Socket Permissions:** Filesystem permissions on the socket file are the primary access control mechanism.
 * **Trust Boundary:** The communicating processes must have a degree of mutual trust, as passing a file descriptor is a grant of capability.
-* **Resource Management:** The receiving process is responsible for closing all file descriptors it receives to prevent resource leaks. If a connection is terminated due to a protocol error, the receiver MUST ensure that any FDs remaining in its queue are closed.
+* **Resource Management:** The receiving process is responsible for closing all file descriptors it receives to prevent resource leaks. If a connection is terminated due to a protocol error, the receiver MUST ensure that any FDs remaining in its queue are closed.

src/transport.rs

@@ -75,36 +75,66 @@ impl Sender {
 
         let fds = message_with_fds.file_descriptors;
 
-        self.stream
-            .async_io(Interest::WRITABLE, || {
-                let sockfd = self.stream.as_fd();
-
-                if fds.is_empty() {
-                    // No file descriptors to send - use regular send
-                    rustix::net::send(sockfd, &data, SendFlags::empty())
-                        .map_err(|e| to_io_error(e, "send"))?;
-                } else {
-                    // Convert OwnedFd to BorrowedFd for sending
-                    let borrowed_fds: Vec<_> = fds.iter().map(|fd| fd.as_fd()).collect();
-
-                    let mut buffer: Vec<u8> =
-                        vec![0u8; rustix::cmsg_space!(ScmRights(MAX_FDS_PER_MESSAGE))];
-                    let mut control = SendAncillaryBuffer::new(buffer.as_mut_slice());
-
-                    if !control.push(SendAncillaryMessage::ScmRights(&borrowed_fds)) {
-                        return Err(io::Error::other(
-                            "Failed to add file descriptors to control message",
-                        ));
+        // Track how many bytes we've sent so far
+        let mut bytes_sent = 0usize;
+        // FDs are only sent with the first sendmsg call
+        let mut fds_sent = false;
+
+        while bytes_sent < data.len() {
+            let remaining = &data[bytes_sent..];
+
+            let sent = self
+                .stream
+                .async_io(Interest::WRITABLE, || {
+                    let sockfd = self.stream.as_fd();
+
+                    if !fds_sent && !fds.is_empty() {
+                        // First chunk with FDs: use sendmsg with ancillary data
+                        let borrowed_fds: Vec<_> = fds.iter().map(|fd| fd.as_fd()).collect();
+
+                        let mut buffer: Vec<u8> =
+                            vec![0u8; rustix::cmsg_space!(ScmRights(MAX_FDS_PER_MESSAGE))];
+                        let mut control = SendAncillaryBuffer::new(buffer.as_mut_slice());
+
+                        if !control.push(SendAncillaryMessage::ScmRights(&borrowed_fds)) {
+                            return Err(io::Error::other(
+                                "Failed to add file descriptors to control message",
+                            ));
+                        }
+
+                        let iov = [IoSlice::new(remaining)];
+                        let sent =
+                            rustix::net::sendmsg(sockfd, &iov, &mut control, SendFlags::empty())
+                                .map_err(|e| to_io_error(e, "sendmsg"))?;
+
+                        Ok(sent)
+                    } else {
+                        // No FDs or FDs already sent: use regular send
+                        let sent = rustix::net::send(sockfd, remaining, SendFlags::empty())
+                            .map_err(|e| to_io_error(e, "send"))?;
+                        Ok(sent)
                     }
+                })
+                .await
+                .map_err(Error::Io)?;
 
-                    let iov = [IoSlice::new(&data)];
-                    rustix::net::sendmsg(sockfd, &iov, &mut control, SendFlags::empty())
-                        .map_err(|e| to_io_error(e, "sendmsg"))?;
-                }
-                Ok(())
-            })
-            .await
-            .map_err(Error::Io)
+            bytes_sent += sent;
+
+            // Mark FDs as sent after first successful sendmsg
+            if !fds_sent && !fds.is_empty() {
+                fds_sent = true;
+                trace!("Sent {} FDs with first chunk ({} bytes)", fds.len(), sent);
+            }
+
+            trace!(
+                "Sent {}/{} bytes (this chunk: {})",
+                bytes_sent,
+                data.len(),
+                sent
+            );
+        }
+
+        Ok(())
     }
 }
 

tests/integration_tests.rs

@@ -1885,3 +1885,142 @@ async fn test_sender_pretty_mode() -> Result<()> {
 
     Ok(())
 }
+
+/// Test that large messages exceeding kernel buffer size are sent correctly.
+///
+/// This reproduces a bug where partial writes from sendmsg() were not handled,
+/// causing large messages to be truncated.
+#[tokio::test]
+async fn test_large_message_exceeds_kernel_buffer() -> Result<()> {
+    // Create a large payload that will exceed the typical kernel socket buffer
+    // (usually ~200KB). We'll use 1MB to be safe.
+    let large_data = "x".repeat(1024 * 1024);
+
+    let (client_stream, server_stream) = tokio::net::UnixStream::pair().unwrap();
+
+    let expected_data = large_data.clone();
+    let server_handle = tokio::spawn(async move {
+        let transport = UnixSocketTransport::new(server_stream).unwrap();
+        let (_sender, mut receiver) = transport.split();
+
+        let message_with_fds = receiver.receive().await?;
+        let message = message_with_fds.message;
+
+        // Verify we received the complete message
+        if let JsonRpcMessage::Request(req) = message {
+            let params = req.params.unwrap();
+            let received_data = params["data"].as_str().unwrap();
+            assert_eq!(
+                received_data.len(),
+                expected_data.len(),
+                "Message was truncated! Expected {} bytes, got {} bytes",
+                expected_data.len(),
+                received_data.len()
+            );
+            assert_eq!(received_data, expected_data);
+        } else {
+            panic!("Expected request message");
+        }
+
+        Ok::<(), jsonrpc_fdpass::Error>(())
+    });
+
+    let transport = UnixSocketTransport::new(client_stream).unwrap();
+    let (mut sender, _receiver) = transport.split();
+
+    let request = JsonRpcRequest::new(
+        "large_data".to_string(),
+        Some(serde_json::json!({
+            "data": large_data
+        })),
+        Value::Number(1.into()),
+    );
+    let message = JsonRpcMessage::Request(request);
+    let message_with_fds = MessageWithFds::new(message, vec![]);
+
+    sender.send(message_with_fds).await?;
+
+    // Wait for server to process and verify
+    server_handle.await.unwrap()?;
+
+    Ok(())
+}
+
+/// Test that large messages with file descriptors work correctly.
+///
+/// This tests the case where FDs must be sent with the first chunk,
+/// and remaining data sent in subsequent chunks.
+#[tokio::test]
+async fn test_large_message_with_fd() -> Result<()> {
+    // Create a large payload
+    let large_data = "y".repeat(1024 * 1024);
+
+    // Create a temp file to pass
+    let mut temp_file = NamedTempFile::new().unwrap();
+    write!(temp_file, "FD test content").unwrap();
+    temp_file.flush().unwrap();
+    temp_file.seek(SeekFrom::Start(0)).unwrap();
+    let fd: OwnedFd = temp_file.into_file().into();
+
+    let (client_stream, server_stream) = tokio::net::UnixStream::pair().unwrap();
+
+    let expected_data = large_data.clone();
+    let server_handle = tokio::spawn(async move {
+        let transport = UnixSocketTransport::new(server_stream).unwrap();
+        let (_sender, mut receiver) = transport.split();
+
+        let message_with_fds = receiver.receive().await?;
+        let message = message_with_fds.message;
+        let fds = message_with_fds.file_descriptors;
+
+        // Verify we received the FD
+        assert_eq!(fds.len(), 1, "Expected 1 file descriptor");
+
+        // Verify we can read from the FD
+        let mut file = File::from(fds.into_iter().next().unwrap());
+        let mut contents = String::new();
+        file.read_to_string(&mut contents).unwrap();
+        assert_eq!(contents, "FD test content");
+
+        // Verify we received the complete message
+        if let JsonRpcMessage::Request(req) = message {
+            let params = req.params.unwrap();
+            let received_data = params["data"].as_str().unwrap();
+            assert_eq!(
+                received_data.len(),
+                expected_data.len(),
+                "Message was truncated! Expected {} bytes, got {} bytes",
+                expected_data.len(),
+                received_data.len()
+            );
+        } else {
+            panic!("Expected request message");
+        }
+
+        Ok::<(), jsonrpc_fdpass::Error>(())
+    });
+
+    let transport = UnixSocketTransport::new(client_stream).unwrap();
+    let (mut sender, _receiver) = transport.split();
+
+    let request = JsonRpcRequest::new(
+        "large_data_with_fd".to_string(),
+        Some(serde_json::json!({
+            "data": large_data,
+            "file": {
+                "__jsonrpc_fd__": true,
+                "index": 0
+            }
+        })),
+        Value::Number(1.into()),
+    );
+    let message = JsonRpcMessage::Request(request);
+    let message_with_fds = MessageWithFds::new(message, vec![fd]);
+
+    sender.send(message_with_fds).await?;
+
+    // Wait for server to process and verify
+    server_handle.await.unwrap()?;
+
+    Ok(())
+}