sppp: Fix getting wrong spppreq cmd from ioctl

ifr->ifr_data is supposed to point to a struct spppreq. The first member
cmd of struct spppreq is int type. It was pre-read via fueword() before
a full fetching. Unfortunately an user space struct spppreq spr may not
be zeroed explicitly, on 64bit architectures fueword() reads 64bit word
thus the garbage (extra 4 bytes) may be read into kernel space (subcmd).

Prior to f9d8181868ee, subcmd was declared as int and assigned from
fuword() and was implicitly converted from long to int. On 64bit little
endian architectures the implicitly conversion overflows (undefined
bahavior) which happen to trash the garbage (the extra 4 bytes, high
32 bits) and worked, but no luck on 64bit big endian architectures.

Since f9d8181868ee subcmd was changed to u_long then there is no
conversion so we end up mismatching subcmd with user space's cmd.

It is also a bit hackish to get the value of cmd via fueword(), instead
we refer to it directly from spr->cmd.

This is a direct commit to stable/13 as sppp(4) no longer exists in main
and stable/14.

PR: 173002
Reviewed by: glebius (previous version)
Fixes: f9d8181868ee Fixed yet more ioctl breakage due to the type of ...
Differential Revision: https://reviews.freebsd.org/D47335