dummynet: Avoid an out-of-bounds read in do_config()

do_config() processes a buffer of variable-length dummynet commands.
The loop which processes this buffer loads the fixed-length header
before checking whether there are any bytes left to read, so it performs
a 4-byte read past the end of the buffer before terminating.

Restructure the loop to avoid this.

Reported by: Jenkins (KASAN job)
Reviewed by: kp
Sponsored by: The FreeBSD Foundation

(cherry picked from commit d5ea04ee7ba6c7cd8e0918a080caf5f2c8fb3955)