machMessageSize does:

        if (numberOfOOLMemoryDescriptors)
            size += (numberOfOOLMemoryDescriptors * sizeof(mach_msg_ool_ports_descriptor_t));

but then uses descriptor->out_of_line, which is a mach_msg_ool_descriptor_t.