From 6b3588488406de179e4a77cd62462ecb10ae5b60 Mon Sep 17 00:00:00 2001
From: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
Date: Fri, 13 Feb 2026 08:37:40 +0100
Subject: [PATCH] fix(provisioner): close SSH client before reassign, close
 pipe reader

provision() overwrote p.Client with a new SSH connection without
closing the old one, leaking TCP sockets and goroutines. Also close
the io.Pipe reader after wg.Wait() for completeness.

Audit findings #14 (MEDIUM), #29 (LOW).

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>
---
 pkg/provisioner/provisioner.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkg/provisioner/provisioner.go b/pkg/provisioner/provisioner.go
index b354b1d80..dba9c03bf 100644
--- a/pkg/provisioner/provisioner.go
+++ b/pkg/provisioner/provisioner.go
@@ -216,6 +216,12 @@ func (p *Provisioner) resetConnection() error {
 func (p *Provisioner) provision() error {
 	var err error
 
+	// Close existing client before creating new connection
+	if p.Client != nil {
+		_ = p.Client.Close()
+		p.Client = nil
+	}
+
 	// Create a new ssh connection
 	p.Client, err = connectOrDie(p.KeyPath, p.UserName, p.HostUrl)
 	if err != nil {
@@ -259,6 +265,7 @@ func (p *Provisioner) provision() error {
 
 	_ = writer.Close()
 	wg.Wait()
+	_ = reader.Close()
 
 	select {
 	case copyErr := <-copyErrCh: