Is overbuffered done on 10th byte past alocated space?

I am reading shellcode handbook, and there is one sentence of executing past the space:

Interestingly, we see that the program was executing address 0x0000000a— or 10 in decimal—when it crashed. More on this later in this chapter.

MY PURPOSE

• I am trying to JUMP to address after exceedig buffer space. That means, that after 36 bytes I write my payload (4 bytes) with address to overwrite the ret instruction (so the address will be popped and moved to eip - as does ret), and ouput the input 2 times (for the second time when jumped back by my payload). It is nothing so speciall, only educational to see it executes my payload instead of SEGFAULT. That is my purpose*

So there is an example:

(in c):

void return_input(void){
    char ar[30];
    scanf(" %s", ar);
    printf("%s\n",ar);
}

int main (void) {

    return_input();
    return 0;
}

As can I see, I have 30 bytes long buffer to use. When dumped:

Dump of assembler code for function main:
   0x0804919b <+0>: push   %ebp
   0x0804919c <+1>: mov    %esp,%ebp
   0x0804919e <+3>: and    $0xfffffff8,%esp
   0x080491a1 <+6>: call   0x8049172 <return_input> // here I want to jump
   0x080491a6 <+11>:    mov    $0x0,%eax
   0x080491ab <+16>:    leave  
   0x080491ac <+17>:    ret    
End of assembler dump.

Now I would like to overoverflow mu buffer to jump into address 0x080491a1 (as is address of calling <return_input>) - so when it jumped, the output should be two times printed.

So finally I do:

$printf "AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDD\xa1\x91\x04\x08" | ./c.exe

Which - as I understand - should be: 10 times 'A', 10 times 'B', 10 times 'C' = so now I have exhaust my allowed buffer. Continue: 6 times 'D' AND my payload (4 bytes). Together it is 40 bytes, as Is mentioned in book - ten bytes after allocated space. So it should jump to that address, as ret instruction in stack should be now overwriten my payload. But instead:

AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDD��
Segmentation fault (core dumped)

In the book, it worked:

shellcoders@debian:~/chapter_2$ printf “AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDD\xed\x83\x04\x08” | ./overflow

AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDí
AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDò

But unfortunately not for me. Can someone explain me, how to make the jump without the segfault? I have tried go step by step in gdb, but even there, I could not see the payload address after ret (well it is not even possible in gdb - when I am entering characters in ascii, but it must be printf to translate the payload).

So when to (in what position - 10th byte?) give the payload in order to be executed without segfault?

Additional info: compiled as: cc -mpreferred-stack-boundary=3 -ggdb -m32 -fno-stack-protector -o $@ -no-pie -fno-PIE -z execstack $<

Additional info (dumped ):

Dump of assembler code for function return_input:
   0x08049172 <+0>: push   %ebp
   0x08049173 <+1>: mov    %esp,%ebp
   0x08049175 <+3>: sub    $0x20,%esp
   0x08049178 <+6>: lea    -0x1e(%ebp),%eax
   0x0804917b <+9>: push   %eax
   0x0804917c <+10>:    push   $0x804a008
   0x08049181 <+15>:    call   0x8049050 <__isoc99_scanf@plt>
   0x08049186 <+20>:    add    $0x8,%esp
   0x08049189 <+23>:    sub    $0x4,%esp
   0x0804918c <+26>:    lea    -0x1e(%ebp),%eax
   0x0804918f <+29>:    push   %eax
   0x08049190 <+30>:    call   0x8049030 <puts@plt>
   0x08049195 <+35>:    add    $0x8,%esp
   0x08049198 <+38>:    nop
   0x08049199 <+39>:    leave  
   0x0804919a <+40>:    ret    
End of assembler dump.