How do hackers arbitrarily execute their own code using non-null-terminated strings passed to strlen()?

I’m going through the Cert-C coding standards and rule STR32-C specifies “do not pass a non-null-terminated character to a library function that expects a string”. It mentions a buffer overflow or execution of remote code can be performed and provides strlen() as an example of a library function that could be exploited. But how would this work if strlen() doesn’t write any data, but only reads the memory until it finds the null-terminated character then returns the number of characters it finds.