Can't disable SSP

I have a simple code that was taken from Protostar 0 (format string) - The code was changed a little (see below).

I have examined the stack frame of the vuln function. I noticed that between the locals and ebp there are two values.

Not sure if these two values are canaries or not, because I compiled the program as folowing:

gcc proto_0.c -o proto_0 -fno-stack-protector -m32

From my understanding -fno-stack-protector flag disables canaries, so what are these values?

void vuln(char *string)
{
    int target = 1;
    char buffer[32];
    sprintf(buffer, string);
    if(target == 0xdeadbeef) {
      printf("you have hit the target correctly :)\n");
    }
}

int main(int argc, char **argv)
{
    vuln(argv[1]);
}

Stack Frame:

ret address

saved ebp

0x00000000

0xf7fab3fc

target

buffer

Expected Stack Frame:

ret address

saved ebp

target

buffer