#include <stdio.h>

void function(int a, int b, int c) {
   char buffer1[5];
   char buffer2[10];
}

void main() {
   function(1,2,3);
}



bottom of                                                            top of
memory                                                               memory
           buffer2       buffer1   sfp   ret   a     b     c
<------   [            ][        ][    ][    ][    ][    ][    ]
	   
top of                                                            bottom of
stack                                                                 stack


From gdb result, 

[chow@rh72 bufferOverflow]$ gdb example1
GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT)
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) break example1.c:9
Breakpoint 1 at 0x804843e: file example1.c, line 9.
(gdb) run
Starting program: /home/chow/bufferOverflow/example1 

Breakpoint 1, main () at example1.c:9
9          function(1,2,3);
(gdb) s
function (a=1, b=2, c=3) at example1.c:6
6       }
(gdb) bt
#0  function (a=1, b=2, c=3) at example1.c:6
#1  0x0804844c in main () at example1.c:9
#2  0x4003e507 in __libc_start_main (main=0x8048438 <main>, argc=1, 
    ubp_av=0xbffffb44, init=0x80482bc <_init>, fini=0x80484a0 <_fini>, 
    rtld_fini=0x4000dc14 <_dl_fini>, stack_end=0xbffffb3c)
    at ../sysdeps/generic/libc-start.c:129
(gdb) info frame 0
Stack frame at 0xbffffab8:
 eip = 0x8048436 in function (example1.c:6); saved eip 0x804844c
 called by frame at 0xbffffad8
 source language c.
 Arglist at 0xbffffab8, args: a=1, b=2, c=3
 Locals at 0xbffffab8, Previous frame's sp is 0x0
 Saved registers:
  ebp at 0xbffffab8, eip at 0xbffffabc
(gdb) x 0xbffffab8          ; SFP
0xbffffab8:     0xbffffad8  
(gdb) x 0xbffffabc          ; RET same as report in info frame saved eip
0xbffffabc:     0x0804844c
(gdb) x 0xbffffac0
0xbffffac0:     0x00000001  ; parameter a
(gdb) x 0xbffffac4
0xbffffac4:     0x00000002  ; b
(gdb) x 0xbffffac8
0xbffffac8:     0x00000003  ; c
(gdb) p &buffer1
$1 = (char (*)[5]) 0xbffffaa0  p; btw buffer1 and sfp there 24 bytes. why not 0xbffffab0? 
(gdb) p &buffer2
$2 = (char (*)[10]) 0xbffffa90  ; btw buffer1 and buffer 2, 16 bytes. mem alignment? 
(gdb)