The fixed length read is exactly what CGI.pm and SOAP::Lite use.

You should do more validation to be safe. First, check the Content-Type. It is fine to post the XML directly to the script, but the client should set a Content-Type of text/xml. This will keep you from interpreting normal form posts as XML.

Second, check that content length is set and check for a maximum content length. If you don't, an attacker can post 20 GB to your script and it will happily try to read it all into memory.