size_t's unit is "what is returned by sizeof" - generally bytes. However, it's being used as a counter for the number of elements in an OID in the library - eg. "size_t objToCopyLen [...] malloc(objToCopyLen * sizeof(oid));" (which calls malloc with units of bytes^2!).
In particular, struct elements for vacm.h:vacm_viewEntry, snmpusm.h:usmStateReference, and snmpusm.h:usmUser are in size_t when they should probably be unsigned ints, and their mistype is propogated in the API's calls.