Hi everyone

I have been working on a few examples that appear in the some of the books I am currently working through on stack based buffer overflows. When ever I attempt to overflow any buffer say 400 bytes with a 420 byte string of "A"'s I receive a segmentation fault but once I start up gdb and set a breakpoint directly after the vulnerable function the 2 parameters are overwritten with the string of "A"'s but the eip and ebp register are not, even though the string of "A"'s are changed to a length of 600 bytes. every time I check the registers within gdb the eip has changed from something like 0x804841d to 0x804849a.

Before compiling the program I made sure to disable ASLR with the following command and checked that esp register remains the same :
Code:
echo "0" > /proc/sys/kernel/randomize_va_space
This worked fine.

I compiled the program as follows :
Code:
gcc --no-stack-protector -mpreferred-stack-boundary=2 -o name.exe -ggdb name.c
The question I would like to ask is why am I still unable to overwrite the saved return address on the stack? Is there another stack protection feature within BT5 that I am unaware of? or is it something really basic that I might be overlooking?

All help appreciated
Thank You