OK, it's possible that you have found a serious easily reproducable bug in Windows 98 that no one has noticed for the last six or so years. However, before we can send off a report to bugtraq and notify CERT you're going to have to post a compilable reproduction of the problem.
Seriously, this thread is 16 posts long and we still haven't got enough information to actually look at the problem. If you're not prepared to post the code I suggest this thread be closed as trying to guess at the problem is simply wasting everyone's time.
I did post some code, but if you really believe that the full code will help, there you go:
#define DNS_LNT 500
int DnsLookup(char *dns_server, char *host_name, char dns_id, char dns_type, char *msg)
int sockfd, numbytes, addr_lnt, tot_lnt;
struct sockaddr_in ina;
tot_lnt = DnsSetMsg(msg, host_name, dns_id, dns_type);
/* this only sets a DNS message and returns the length */
if ((sockfd=socket(AF_INET, SOCK_DGRAM, 0))==-1)
ina.sin_family = AF_INET;
ina.sin_port = htons(DNSPORT); // port 53
ina.sin_addr.s_addr = inet_addr(dns_server);
memset(ina.sin_zero, '\0', 8);
if ((numbytes=sendto(sockfd, msg, tot_lnt, 0, (struct sockaddr *)&ina, sizeof(struct sockaddr)))==-1)
memset(msg, '\0', DNS_LNT);
addr_lnt = sizeof(struct sockaddr);
if ((numbytes=recvfrom(sockfd, msg, DNS_LNT-1, 0, (struct sockaddr *)&ina, &addr_lnt))==-1)
Still not enough sorry. We don't know how msg is declared. We don't have the code in DnsSetMsg that also uses the msg buffer. We don't know the value of tot_lnt that is passed to sendto that also uses the msg buffer. We don't have the code after the return from DnsLookup. Remember the effect of clobering memory may be delayed.
It is easy to overrun while converting a domain name to the 3www9alltheweb3com0 format and it positively hard to avoid all buffer overrun scenarios when unpacking the reply and decompressing the domain names.
Post the rest of the code and we'll have a look.
You're asking all the wrong questions, the only important thing that's missing is the declaration of msg:
All of the problems where in recvfrom(), nothing else matters, when (if) the program died, it died on recvfrom().
note: at the end of DnsLookup() the msg contains the entire dns response, with all the answers, so it's pretty big.