"buffer overflow detected" when downloading NPR podcast

[RichardRo]

axel -o a.mp3 https://play.podtrac.com/npr-510289/npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3
Initializing download: https://play.podtrac.com/npr-510289/npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3
File size: 19194305 bytes
Opening output file a.mp3
State file found: 0 bytes downloaded, 19194305 to go.
Starting download
***** buffer overflow detected *: axel terminated

[ismaell]

Which version is it? Can you provide a trace?

[RichardRo]

axel -V
Axel version 2.16.1 (Linux)

And attached is the strace file.
axel_strace.txt

[thinkycx]

Hello， I am interested in this vuln however I failed to reproduce it.
It seems the file size has been changed. Isn't it ?
Could anyone can reproduce it?
@ismaell @RichardRo

axel version:

$ axel -V
Axel version 2.16.1 (Linux)

Copyright 2001-2007 Wilmer van der Gaast,
	  2007-2009 Giridhar Appaji Nag,
	  2008-2010 Philipp Hagemeister,
	  2015-2017 Joao Eriberto Mota Filho,
	  2016-2017 Stephen Thirlwall,
	  2017      Ismael Luceno,
	  2017      Antonio Quartulli,
		    and others.
Please, see the CREDITS file.

output:

$ axel -o a.mp3 https://play.podtrac.com/npr-510289/npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3
Initializing download: https://play.podtrac.com/npr-510289/npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3
File size: 18929319 bytes
Opening output file a.mp3
State file found: 0 bytes downloaded, 18929319 to go.
Starting download

[lalkh]

I cannot reproduce this crash.
axel -o b.mp3 https://play.podtrac.com/npr-510289/npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3
Initializing download: https://play.podtrac.com/npr-510289/npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3
File size: 18929319 bytes
Opening output file b.mp3
Starting download
I got a different bytesize

[RichardRo]

@thinkycx @lalkh Thanks guys.
Your outputs are same with mine until "Starting download".
But after "Starting download" and wait for about 20-30 seconds,
there will be output of "
*** buffer overflow detected ***: axel terminated
Aborted
"

Add more information:
uname -a
Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/issue
Ubuntu 18.04 LTS \n \l

I also tried wget and it worked well:
wget -O a.mp3 https://play.podtrac.com/npr-510289/npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3
--2019-04-06 09:48:01-- https://play.podtrac.com/npr-510289/npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3
Resolving play.podtrac.com (play.podtrac.com)... 54.165.33.212, 52.3.3.236
Connecting to play.podtrac.com (play.podtrac.com)|54.165.33.212|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3 [following]
--2019-04-06 09:48:01-- https://npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3
Resolving npr.streaming.adswizz.com (npr.streaming.adswizz.com)... 52.88.136.205, 52.88.193.110, 52.89.238.157, ...
Connecting to npr.streaming.adswizz.com (npr.streaming.adswizz.com)|52.88.136.205|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://cf-npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3/20190329_pmoney_pmpod903.mp3_b822ec15b772a855f109d9fdb72d4541_18929319.mp3?hash_redirect=1&x-total-bytes=18929319&listeningSessionID=0CD_382_95__80e29a9c7de0a7b499b51fd71e007b9167452b22 [following]
--2019-04-06 09:48:01-- https://cf-npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3/20190329_pmoney_pmpod903.mp3_b822ec15b772a855f109d9fdb72d4541_18929319.mp3?hash_redirect=1&x-total-bytes=18929319&listeningSessionID=0CD_382_95__80e29a9c7de0a7b499b51fd71e007b9167452b22
Resolving cf-npr.streaming.adswizz.com (cf-npr.streaming.adswizz.com)... 54.230.136.77, 54.230.136.152, 54.230.136.209, ...
Connecting to cf-npr.streaming.adswizz.com (cf-npr.streaming.adswizz.com)|54.230.136.77|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18929319 (18M) [audio/mpeg]
Saving to: ‘a.mp3’

a.mp3 100%[==============================================================================>] 18.05M 36.8MB/s in 0.5s

2019-04-06 09:48:02 (36.8 MB/s) - ‘a.mp3’ saved [18929319/18929319]

Also tried gdb, got something like this:
$ gdb
GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
(gdb) file axel
Reading symbols from axel...(no debugging symbols found)...done.
(gdb) run -o a.mp3 https://play.podtrac.com/npr-510289/npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3
Starting program: /usr/bin/axel -o a.mp3 https://play.podtrac.com/npr-510289/npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Initializing download: https://play.podtrac.com/npr-510289/npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pmoney_pmpod903.mp3
File size: 18929319 bytes
Opening output file a.mp3
[New Thread 0x7ffff6b8a700 (LWP 31816)]
[New Thread 0x7fffeffff700 (LWP 31817)]
[New Thread 0x7ffff6389700 (LWP 31818)]
[New Thread 0x7ffff5b88700 (LWP 31819)]
Starting download
[Thread 0x7ffff5b88700 (LWP 31819) exited]
[Thread 0x7ffff6b8a700 (LWP 31816) exited]
[Thread 0x7fffeffff700 (LWP 31817) exited]
[New Thread 0x7ffff6b8a700 (LWP 31820)]
[New Thread 0x7fffeffff700 (LWP 31821)]
[New Thread 0x7ffff5b88700 (LWP 31822)]
[Thread 0x7fffeffff700 (LWP 31821) exited]
[Thread 0x7ffff5b88700 (LWP 31822) exited]
[Thread 0x7ffff6b8a700 (LWP 31820) exited]
[New Thread 0x7ffff6b8a700 (LWP 31823)]
[New Thread 0x7fffeffff700 (LWP 31824)]
[New Thread 0x7ffff5b88700 (LWP 31825)]
[Thread 0x7ffff6389700 (LWP 31818) exited]
[Thread 0x7ffff6b8a700 (LWP 31823) exited]
[Thread 0x7fffeffff700 (LWP 31824) exited]
[Thread 0x7ffff5b88700 (LWP 31825) exited]
...(repeats Thread xxx exited and New Thread xxx)

Just let me know if there is any other information I need to provide, thanks.

[thinkycx]

I have tried your command on several linux OS, such as:

4.15.0-36-generic
Ubuntu 18.04.1 LTS \n \l

However, after waiting for about 1 min, it still hangs. I also use gdb to figure it out and its output is same with you -- many threads exited.
Maybe it seems that buffer overflow is not stable? @RichardRo

[RichardRo]

@thinkycx
I can reproduce this on my machine every time after 20-30 seconds.

And add backtrace info:
[Thread 0x7ffff6b8a700 (LWP 11294) exited]
[Thread 0x7ffff5387700 (LWP 11296) exited]
[Thread 0x7ffff6389700 (LWP 11295) exited]
[New Thread 0x7ffff6b8a700 (LWP 11297)]
[New Thread 0x7ffff6389700 (LWP 11298)]
[New Thread 0x7ffff5387700 (LWP 11299)]
[Thread 0x7ffff5b88700 (LWP 11292) exited]
*** buffer overflow detected ***: /usr/local/bin/axel terminated

Thread 1019 "axel" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff5387700 (LWP 11299)]
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff7123801 in __GI_abort () at abort.c:79
#2 0x00007ffff716c897 in __libc_message (action=action@entry=(do_abort | do_backtrace), fmt=fmt@entry=0x7ffff7299988 "*** %s ***: %s terminated\n")
at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007ffff7217cff in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=true, msg=msg@entry=0x7ffff7299905 "buffer overflow detected")
at fortify_fail.c:33
#4 0x00007ffff7217d21 in __GI___fortify_fail (msg=msg@entry=0x7ffff7299905 "buffer overflow detected") at fortify_fail.c:44
#5 0x00007ffff7215a10 in __GI___chk_fail () at chk_fail.c:28
#6 0x00007ffff7217c0a in __fdelt_chk (d=d@entry=1024) at fdelt_chk.c:25
#7 0x000055555555e0a1 in tcp_connect (tcp=tcp@entry=0x555555775128, hostname=hostname@entry=0x5555557718bc "cf-npr.streaming.adswizz.com",
port=port@entry=443, secure=1, local_if=0x555555764428 "",
message=0x555555774500 "HTTP/1.1 302 Found\nContent-Length: 0\nConnection: close\nServer: CloudFront\nDate: Sat, 06 Apr 2019 04:43:51 GMT\nLocation: https://cf-npr.streaming.adswizz.com/anon.npr-mp3/npr/pmoney/2019/03/20190329_pm"..., io_timeout=120) at tcp.c:128
#8 0x000055555555ca2e in http_connect (conn=conn@entry=0x555555773500, proto=, proto@entry=3, proxy=proxy@entry=0x0,
host=host@entry=0x5555557718bc "cf-npr.streaming.adswizz.com", port=443, user=user@entry=0x5555557724bc "", pass=0x5555557728bc "", io_timeout=120)
at http.c:119
#9 0x000055555555b26a in conn_init (conn=conn@entry=0x5555557718a8) at conn.c:233
#10 0x000055555555b4f5 in conn_setup (conn=conn@entry=0x5555557718a8) at conn.c:250
#11 0x000055555555822e in setup_thread (c=0x5555557718a8) at axel.c:777
#12 0x00007ffff74db6db in start_thread (arg=0x7ffff5387700) at pthread_create.c:463
#13 0x00007ffff720488f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

[lalkh]

@RichardRo when I use http protocol with this mp3,it can be downloaded successfully,however,when I use https protocol,it hangs on "Starting download"

[ismaell]

Check out v2.17.2.

[thinkycx]

Could you reproduce it again now ?
@RichardRo