mpr, mps: Fix a stack buffer overflow in the user passthru ioctl

mpr, mps: Fix a stack buffer overflow in the user passthru ioctl

Previously we copied in the request into a stack-allocated structure
that could be smaller than the request size.  Furthermore, we checked
the request size only after doing the copyin.

Fix this by allocating a buffer to hold the request, then copying the
buffer's contents into a command descriptor.  This is a bit heavy-handed
but I expect the overhead will not be noticeable.  The approach of
coping the header in first is susceptible to TOCTOU problems.

Reviewed by:	imp
Reported by:	maxpl0it@protonmail.com
Differential Revision:	https://reviews.freebsd.org/D27963

(cherry picked from commit de828a91db29fb20440e0d92f3d3136b314a9584)