How to safely pass variables to root-enabled scripts?

Running shell scripts under sudo is safe provided that sudo is configured to reset the environment. Conversely, if sudo doesn't reset the environment, then running a shell script is not safe, even if your script doesn't use its parameters (see Allow setuid on shell scripts). Make sure that you have Defaults env_reset in /etc/sudoers or that this option is the compile-time default (sudo sudo -V | grep env should include Reset the environment to a default set of variables).

There is no particular danger in using the script parameters. $1 is a string, all you need to make sure is that you're using it as a string. (For example, don't do eval "$1".) Obviously, it's especially important here not to make assumptions about the contents of the variable, and to put double quotes around all variable substitutions (i.e. write "$1", not $1). Note that putting double quotes around variable substitutions isn't specific to scripts running with privileges, it's something you must do all the time.

You may want to validate the parameter further, depending on what udhcpc does with something that doesn't look like a host name. For example, this will perform a first syntactic check:

#!/bin/sh
case "$1" in
  *[!:-.0-9A-Za-z]*|-*) echo 1>&2 "Badly formed host name!"; exit 3;;
esac
udhcpc -b -i eth0 -h "$1"

You should match the passed input against known a good pattern.

For example, it looks like an IP address might be valid input for you. So you could use something like this:

if [[ "$1" =~ ^[0-9]?[0-9]?[0-9].[0-9]?[0-9]?[0-9].[0-9]?[0-9]?[0-9]$ ]]
then
  udhcpc -b -i eth0 -h "$1"
else
  echo "Don't mess with me pork chop."
fi

Note, that regexp hasn't been tested, you're responsible for making sure your regexp doesn't allow anything dangerous.